from:"Wim Lewis"

Re: PrivateKey Decrypt Failure

2019-09-11 Thread Wim Lewis

On Sep 11, 2019, at 3:31 AM, Chitrang Srivastava 
 wrote:
> I am using openssl 1.1.1b and I am storing private key encrypted.
> 
> I am storing private key as
> PEM_write_bio_PrivateKey(bio, pkey, EVP_aes_128_cbc(), PKeyPassPKCS12, 0, 0, 
> NULL); 

I don't think that PEM_write_bio_PrivateKey() will compute the key length for 
you if you pass 0. If you pass klen=0 it will encrypt with a 0-byte key. Try 
passing strlen(PKeyPassPKCS12) for klen and see if that helps.

Re: Does openssl sanity check ALPN strings?

2019-06-26 Thread Wim Lewis

On Jun 26, 2019, at 4:25 PM, Hal Murray  wrote:
> If a client passes {99, "a", "z" } with a length of 3 to 
> SSL_CTX_set_alpn_protos,
> does that get rejected or sent to the server?
> 
> If a somebody sends that to a server, does it get passed to the alpn callback?

I don't think OpenSSL does any checking on the client side --- whatever bytes 
you supply get sent to the server.

On the server side it does some checking before calling the alpn callback but I 
don't know that it makes any guarantees of validity.

Re: PkiPath with openssl

2019-06-18 Thread Wim Lewis

On Jun 17, 2019, at 11:35 PM, Tobias Wolf  wrote:
> The specification said about sorting and providing the pki path in correct 
> order. 

Ah, I thought you were asking about producing the correct DER representation, 
not assembling the list of certs.

In that case, take a look at the documentation for X509_verify_cert() and 
X509_STORE_add_cert() (also see X509_STORE_CTX_init(), X509_VERIFY_PARAM_*(), 
X509_STORE_CTX_get*_chain()). This will discover and validate a trust chain 
from a specified certificate to any of a set of trust anchors, via a set of 
possible intermediate certificates. The resulting chain should be ordered 
properly (you may need to reverse the order).  If you don't want to spend the 
extra time verifying signatures and constraints and so on, you might be able to 
turn that off by setting some options.

I think the X509_STORE_add_cert() manpage has the most comprehensible 
description of how these pieces fit together.

Re: PkiPath with openssl

2019-06-17 Thread Wim Lewis

On Jun 17, 2019, at 8:09 AM, Tobias Wolf  wrote:
> there already a function available? In fact I´d like to provide a 
> STACK(X509)* as a parameter and get the pem or der encoded asn1 structure 
> back.

Assuming you've already assembled the list of certificates you want to encode, 
I think you can use the generic ASN.1 routines (see the docs in 
doc/man3/X509_dup.pod; I'm not sure why that's where they live) to define the 
encoded structure of the PkiPath; and use the ASN1_SEQUENCE_OF macro in that 
definition. See also the "asn1t.h" header.

I don't remember how to actually do this, but perhaps this will point you in a 
useful direction.

Re: How to Sign and Encrypt in CMS ?

2019-05-06 Thread Wim Lewis

On May 5, 2019, at 7:13 PM, Dr. Pala  wrote:
> small question - I was playing around with the CMS interface and I was 
> wondering what is the right way to generate a signed and encrypted CMS. In 
> particular, for PKCS#7, you could use the signed_and_encrypted choice... but 
> in CMS, there is the envelopedData ... but that does not allow for signing... 
> ??? And for the signed data, there is the signedData type... but that does 
> not allow for encryption... The EncryptedData is for use with PSK - not a 
> case I am interested into...

There are two common approaches that I know of:

- You can combine a SignedData and an EnvelopedData. Depending on your use case 
you may want to sign first and then envelop(e), or envelope first and then 
sign. (IIRC, one of the RFCs suggests sign-envelop-sign, though I can't find 
that text right now.)

- You can use the AuthenticatedEnvelopedData type from RFC5083, with an AEAD 
cipher mode. (This does not provide a signature, but it does provide an 
integrity check which may be sufficient for your needs. You can also combine it 
with SignedData, of course.)

Note that SignedAndEnvelopedData is part of PKCS#7 but wasn't included in CMS; 
even PKCS#7 (RFC2315) suggests that "the sequential combination of signed-data 
and enveloped-data content types is generally preferable to the 
SignedAndEnvelopedData content type" unless you need it for compatibility 
reasons.

Also, last time I tried, OpenSSL's API made it kind of tricky to produce a 
correctly formed sign-envelop or envelop-sign message; that may have improved 
since then, though.

Re: asn1parse genstr question

2019-04-22 Thread Wim Lewis

On Apr 21, 2019, at 8:58 AM, Dmitry Belyavsky  wrote:
> openssl asn1parse -genstr "UTF8String:ф" -out content
> 
> I get a 6-byte file. If I understand correctly, it starts with a 2-byte 
> header indicating the content length and then contains an encoded letter 'ф' 
> I want. But the encoding of it is not UTF8, as the utf8 encoding of a 
> cyrillic letter is 2 bytes long. 

When I do that I get the 6-byte file "0c 04 c3 91 c2 84", which looks like 'ф' 
is getting UTF-8 encoded twice (more exactly, asn1parse is receiving a 
utf8-encoded value but interpreting it as Latin-1, and then encoding that as 
UTF8, which produces nonsense).

The format of the "genstr" option is described in the ASN1_generate_nconf man 
page, which says you can prepend the format modifier "UTF8" to the specifier in 
order to tell genstr to interpret the value correctly. So this produces the 
output you want:

   FORMAT:UTF8,UTF8String:ф

(Oddly, you can't use HEX with UTF8String. It seems like it would be convenient 
to be able to do so.)

Re: Is there a way to retrieve the certificate from SSL_CTX?

2019-03-05 Thread Wim Lewis

On 5. mar. 2019, at 10:14 f.h., Paul Smith  wrote:
> E.g., I'm adding my certificate with SSL_CTX_use_certificate(); is there a 
> way to get it back out?

Does SSL_CTX_get0_certificate() do what you need?

(The "get0" (vs "get") indicates its reference-counting semantics.)

Re: [openssl-users] Creating PKCS#8 from pvk format

2018-12-04 Thread Wim Lewis

On 4. des. 2018, at 4:00 e.h., zhongju li via openssl-users 
 wrote:
> Now I need to convert the key in RSA format to EVP_PKEY, then to PKCS#8. I 
> have tried the following functions, all of these functions return 0 (failure) 
> without any further debugging information/clues:
> EVP_PKEY_assign_RSA(pEvpkey, rsa);

Is it possible that pEvpkey or rsa is NULL? (You need to create a EVP_PKEY with 
EVP_PKEY_new() before putting a specific key into it.)

Otherwise, have you checked whether there is anything in the openssl error 
stack (using ERR_get_error(), ERR_print_errors_fp(), or similar)?

> I did google searching, but have not figured out why the about functions 
> failed (one posting mentions “export version” vs. domestic version??).

There used to be different versions because of US export laws but I don't think 
that has been the case for many years.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] updating openssl

2018-11-06 Thread Wim Lewis


On 6. nóv. 2018, at 2:02 e.h., Paul  wrote:
> I configured Openvpn server on ubuntu 16.04 and ubuntu was using a old 
> version of openssl 1.0.2 and I was updating openssl to v1.1.1
> Now I've installed the openssl but now unable to mv file installed to ln -s 
> /usr/local/ssl/bin/openssl /usr/bin/openssl
> failed to create symbolic link '/usr/bin/openssl': File exists
> 
> but then when I use openssl version
>  /usr/bin/openssl: No such file or directory


This is really a general unix question: I suspect you have a dangling symbolic 
link in /usr/bin, pointing to a (now-deleted) old copy of openssl. If so, you 
can just rm the dangling symbolic link.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] porting socket ssl python to c++

2018-08-01 Thread Wim Lewis

This pair of articles is quite old, so some of the API details have changed, 
but it has an overall description of how to use OpenSSL:
   https://www.linuxjournal.com/article/4822
   https://www.linuxjournal.com/article/5487

The link to the example code is broken, but you can find it here:
   https://github.com/Andersbakken/openssl-examples/

One thing to be aware of is that the check_cert() function is just a sketch of 
what a real check_cert() function would need to do (which depends on your 
application, to some extent). There are some functions that have been added to 
OpenSSL since then that, AIUI, can replace having to do those checks in your 
own check_cert():
https://www.openssl.org/docs/man1.1.0/crypto/X509_check_host.html


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] command passwd

2018-07-16 Thread Wim Lewis

On 16. júl. 2018, at 1:51 e.h., Carl-Valentin Schmitt  
wrote:
> mcrypt not only has md5, it has blowfish too and other keys. You can download 
> source at http://sf.net 
> mcrypt is a linux command as follower oft command crypt.

I don't think the "openssl passwd" command has ever used mcrypt. OpenSSL has 
implementations of (almost) all the relevant ciphers in libcrypto already.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure Randomness of PK

2018-05-23 Thread Wim Lewis

On 23. maí 2018, at 10:08 f.h., redpath  wrote:
> SO if I add this RAND usage below, em I seeding to assure a different RSA key
> pair each time run of creating a RSA pair.
> 
> I would certainly replace the time with the UUID of the device to be unique
> to the device. You would have to acquire the device to know the seeding. Hey  
> keep the Time
> one too.

Attempting to provide a more useful response ...

That is the right way to add entropy to the pool, but (as everyone else has 
said) neither the current time nor the device's UUID provide enough entropy to 
satisfy any cryptographic requirements. Adding them to the random pool won't 
hurt, but you should set the entropy-estimate argument equal to zero (like you 
did in your example).

Depending on your OpenSSL version *and the platform it's running on*, OpenSSL 
may automatically seed the random pool from the platform's random-number 
source(s). It does this by calling RAND_poll(), which is documented in the same 
manual page as RAND_add(). So, normally you do not need to worry about 
explicitly seeding the random number generator.

However, if you're running on an embedded device, or running immediately after 
bootup, or some other situation in which OpenSSL can't get good entropy from 
the system, you may need to figure out how to supply some yourself. That's 
pretty difficult to do.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to produce a nested CMS / PKCS#7 structure?

2016-11-28 Thread Wim Lewis

On Nov 25, 2016, at 12:43 PM, Dr. Stephen Henson  wrote:
> Something like that did happen for PKCS#7 but the  OCTET STRING encapsulation
> is correct for CMS.

Aha, and this difference is called out in RFC5652 [5.2.1]. Thanks, that 
clarifies things for me a little. So typically it's only the outermost 
ContentInfo that directly embeds a CMS object without an intervening OCTET 
STRING, and other structures use EncapsulatedContentInfo instead of ContentInfo.

However, I think the other half of my problem remains: if I'm putting another 
CMS object into a SignedData, AuthEnvelopedData, or other kind of wrapper, the 
OCTET STRING should contain the encoding of that object's structure (e.g. a 
BER-encoded AuthEnvelopedData, SignedData, ContentWithAttributes, etc. 
structure), not a ContentInfo *containing* that structure, right? How do I get 
OpenSSL to give me that encoded object without an enclosing ContentInfo?

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to produce a nested CMS / PKCS#7 structure?

2016-11-22 Thread Wim Lewis

I'm trying to produce nested structures, like signed-enveloped-signed data. 
This is explicitly described in the various RFCs, but I can't figure out how to 
get OpenSSL to produce valid output, and I can't find any code examples of 
doing this.

What I'm doing (which doesn't quite work) is this: first I create the inner 
content using (e.g.) CMS_encrypt(), getting a CMS_ContentInfo structure. This 
works correctly and if I write it out I get what I expect. Then I want to 
create another CMS_ContentInfo, e.g. using CMS_sign(), which envelops the first 
one. How do I cause the ContentInfo of the SignedData structure to be the 
ContentInfo I obtained from CMS_encrypt()? The closest I can come is code like 
this:


CMS_ContentInfo *innerCms = ;// Create the inner CMS content.
BIO *inbetween = BIO_new(BIO_s_mem());   // Write it to a buffer.
i2d_CMS_bio(inbetween, innerCms);
CMS_ContentInfo *outerCms = CMS_sign(cert, key, NULL, inbetween, 
CMS_BINARY|CMS_PARTIAL|CMS_NOSMIMECAP);
CMS_set1_eContentType(outerCms, OBJ_nid2obj(NID of innerCms));   // Set the 
content-type
CMS_final(outerCms, inbetween, NULL, CMS_BINARY|CMS_NOSMIMECAP); // 
Finalize the CMS structure

(My actual code checks all the return values, but I left those off for clarity.)

Unfortunately, this produces output like this:

   ContentInfo {
  contentType = :pkcs7-signedData;
  content = SignedData {
 ... various ...
 contentInfo = ContentInfo {
contentType = :pkcs7-envelopedData;
content = [0] EXPLICIT OctetString{...}
 }
  }
}
 
where the inner OCTET STRING contains *another* ContentInfo, which then 
contains the nested object.

But from my understanding, the correct syntax for a nested CMS structure is 
this:

   ContentInfo {
  contentType = :pkcs7-signedData;
  content = SignedData {
 ... various ...
 contentInfo = ContentInfo {
contentType = :pkcs7-envelopedData;
content = [0] EXPLICIT EnvelopedData {
...fields of the EnvelopedData structure...
}
 }
  }
}

In other words, I have two extra, incorrect levels of encapsulation: the OCTET 
STRING and the extra ContentInfo.

In order to get the right output, I think I would need both a way to tell the 
CMS structure to use the correct data type *and* the correct contentType OID, 
and also a way to get to the EnvelopedData structure inside of the innerCms 
structure. But neither of those things seems to be accessible using the OpenSSL 
API.

Any hints? Surely someone has used OpenSSL to create nested structures in the 
past?


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about stateOrProvince

2016-08-30 Thread Wim Lewis

On Aug 30, 2016, at 6:28 PM, Tim Boring  wrote:
> When creating a CSR, openssl displays the following
> 
> 
> State or Province Name (full name) [Some-State]:
> 
...
> And a couple lines up from that is a comment pointing to RFC 3280, which 
> defines the following:

The original definition is from X.520, I suppose, which doesn't explicitly say 
whether abbreviations are allowed, although the example it gives is for a full 
name (Ohio). [1]

> I'm curious about this because the openssl command will create a CSR where 
> stateOrProvince has a two-character (U.S.) state name, and (at least one) CA 
> (Comodo) will happily issue a cert using such a CSR. 

I think for ordinary domain-validated certificates, almost nothing in the 
Subject is actually validated or used by the browser, and I'd guess not 
inspected by the CA either.

In situations where people actually care, the full name seems to be required 
for that attribute. The following language shows up in a few places via google:

From the CAB Forum guidelines for EV certs [3]:
> State, province, or locality information (where applicable) must use the full 
> name of the applicable jurisdiction.

From a randomly found ITU-T draft of what became the EV certificate guidelines 
(TD 0411 [2], section 8.1.1 (4)):
> State or province or locality information (where applicable) for the 
> Subject’s Jurisdiction of Incorporation or Registration MUST be specified 
> using the full name of the applicable jurisdiction.

My understanding from all this is that the correct use of that attribute is to 
have the full name, not an abbreviation, but that in most cases, a 
certificate's subject can contain any old garbage you like and it'll still work 
for TLS.

For situations other than TLS, of course, it's even vaguer, but I read X.520 as 
implying that the full name is preferred, but abbreviations may be used as 
alternatives in directories and so on.

>  If not, then maybe it's just a matter of changing the prompt (I'm happy to 
> submit a PR for such a minor change).

I'd argue that the prompt should stay the same. The user can type an 
abbreviation if they like, but if they're uncertain whether to type an 
abbreviation or a full name, then it's nice to include that guidance. (The 
country attribute, in contrast, is required to be an ISO3166 code according to 
X.520.)

[1] http://www.itu.int/rec/T-REC-X.520
[2] 
https://www.first.org/global/standardisation/docs/t09-sg17-090916-td-plen-0411__msw-e.doc
[3] https://cabforum.org/ev-certificate-contents/

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CMS with Symmetric key

2016-04-04 Thread Wim Lewis

On Apr 4, 2016, at 3:42 PM, Jakob Bohm  wrote:
> Unless you can point out a clause in the "CMS" format RFCs
> that allow use without X.509 certificates, there is no reason
> why the "CMS" part of the OpenSSL library should be able to
> any such thing.

The CMS RFC (RFC 5652) specifies password based key derivation (in addition to 
asymmetric-key crypto key transport or agreement, and also a 
symmetric-cryptography key transport mechanism). See section 6.2.

It looks like password based key derivation wasn't in the original PKCS#7, but 
was introduced in a 2001 specification (RFC 3211) and was folded into the 2002 
revision of CMS (RFC 3369).

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Converting DER encoded unsigned CSR to internal OpenSSL format

2015-11-11 Thread Wim Lewis

On Nov 9, 2015, at 3:46 PM, Peter P.  wrote:
> I'm writing an application using Openssl 1.0.2d where I am trying to take a 
> DER encoded unsigned CSR and read it into an X509_REQ data structure via the 
> d2i_X509_REQ_bio() function. This function errors out during when I attempt 
> to read in my unsigned CSR and I would like to know if there is any other way 
> to read in an unsigned CSR into an X509_REQ data structure.

A CSR (from PKCS#10 / RFC2986) has the structure:

   SEQUENCE { CertificationRequestInfo, AlgorithmIdentifier, BIT STRING }

where the actual request is the CertificationRequestInfo, and the signature is 
composed of the AlgorithmIdentifier + BIT STRING.

Are you trying to just read in a bare CertificationRequestInfo structure? I 
suspect you can do that with a call like

ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ_INFO), bp, req)

which is the same as the body of d2i_X509_REQ_bio(), but with X509_REQ replaced 
by X509_REQ_INFO. I haven't tried it, though.

(Whether it's a *good idea* to pass bare CSR info structs around is another 
question but I'll leave that up to you.)

Wim.

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OPENSSL_SYS_VOS meaning

2015-08-24 Thread Wim Lewis

On Aug 24, 2015, at 11:33 AM, David Luengo López dlue...@rti.com wrote:
 439 #define DUMMY_SEED  /* at least MD_DIGEST_LENGTH */
 440 /* Note that the seed does not matter, it's just that
 441  * ssleay_rand_add expects to have something to hash. */
 442 ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
 
 I don't know why the 0.0 parameter, since we are not adding anything here I 
 never get more entropy in the pool. Any explanation for this 0.0?

Because there is actually no entropy in DUMMY_SEED --- it's a constant. This 
piece of code is stirring the pool; it doesn't increase the amount of entropy 
(unpredictability) in the pool, it just makes sure that all the bits of the 
pool are equally unpredictable. Actual entropy must be added by some other 
piece of code.

 Anyone knows what does OPENSSL_SYS_VOS macro means?

The notes from the patch from Paul Green adding randomness support for VOS 
might have useful information for you:
https://rt.openssl.org/Ticket/Display.html?id=2563user=guestpass=guest

(I do not know enough about VxWorks or VOS to say whether defining 
OPENSSL_SYS_VOS safely solves your problem, though it seems plausible)


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Custom OID strange characters

2015-08-11 Thread Wim Lewis


On Aug 11, 2015, at 2:03 PM, Robert Sandilands rsand...@netscape.net wrote:
 So this leads to the next question:
 
 How do I teach OpenSSL the format of the value for a custom extension without 
 writing code?

What do you want OpenSSL to do with that knowledge?

Presumably, the reason you're adding a custom extension is that some software, 
somewhere, is going to look for it and act upon it. That software will need 
some coding, right?


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Custom OID strange characters

2015-08-11 Thread Wim Lewis

On Aug 11, 2015, at 9:24 AM, Robert Sandilands rsand...@netscape.net wrote:
 I am trying to build a certificate request with a custom OID and it is 
 encoding strange characters in the certificate.
 
 For example I specify the following line in the .cnf file:
 bla_policy = ASN1:PRINTABLESTRING:blabla
 Then I get the following when I dump the csr:
1.2.3.4.5.6.7: 
 ..blabla

This is because openssl doesn't know the format of the value of your custom 
extension.

Running the result of your script through asn1parse shows the extension section 
like this (snipped some entries for brevity):

  417:d=3  hl=2 l=  93 cons:SEQUENCE  
  419:d=4  hl=2 l=   9 prim: OBJECT:Extension Request
  430:d=4  hl=2 l=  80 cons: SET   
  432:d=5  hl=2 l=  78 cons:  SEQUENCE  
  434:d=6  hl=2 l=  12 cons:   SEQUENCE  
  436:d=7  hl=2 l=   3 prim:OBJECT:X509v3 Basic Constraints
  441:d=7  hl=2 l=   1 prim:BOOLEAN   :255
  444:d=7  hl=2 l=   2 prim:OCTET STRING  [HEX DUMP]:3000
  448:d=6  hl=2 l=  11 cons:   SEQUENCE  
  450:d=7  hl=2 l=   3 prim:OBJECT:X509v3 Key Usage
  455:d=7  hl=2 l=   4 prim:OCTET STRING  [HEX DUMP]:030203F8
  492:d=6  hl=2 l=  18 cons:   SEQUENCE  
  494:d=7  hl=2 l=   6 prim:OBJECT:1.2.3.4.5.6.7
  502:d=7  hl=2 l=   8 prim:OCTET STRING  [HEX 
DUMP]:1306626C61626C61


Notice that the value of each constraint is an OCTET STRING, regardless of 
its type. (The BOOLEAN field in the basic constraints extension is the Critical 
flag.) As is usual with X.500 stuff, tracking down the actual definition of 
this field is a pain, but you can find it in the PKIX RFC3280/5280  (via 
PKCS#10/RFC2986 and PKCS#9/RFC2985):

   Extension  ::=  SEQUENCE  {
extnID  OBJECT IDENTIFIER,
criticalBOOLEAN DEFAULT FALSE,
extnValue   OCTET STRING  }

If you ask asn1parse to dump just the contents of your extension, you'll see 
exactly the PRINTABLESTRING which you requested:

% openssl asn1parse -i -offset 504 -length 8 -in test.csr
0:d=0  hl=2 l=   6 prim: PRINTABLESTRING   :blabla


The two bytes, 13 06, are the DER encoding of a 6-byte string (13 contains the 
tag and class, indicating in this case PRINTABLESTRING, and 06 is the length in 
bytes of the string which follows). Similarly, the basicConstraints value is an 
empty (0-length) SEQUENCE because all of its contents have the default values 
and are omitted; and the keyUsage value is a BIT STRING (tag=3, length=0x02, 
number of unused bits = 0x03, bits=0x1F once you remove the padding) with a 
bitmap of the selected constraints. extendedKeyUsage, which I snipped, is a 
SEQUENCE of OIDs.

If this is a custom extension, you can define its contents to be whatever you 
like. The standardized extensions I know about are all DER-encoded values, but 
I don't think that's an actual requirement.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL and iCloud

2015-01-05 Thread Wim Lewis


On Jan 5, 2015, at 12:01 PM, open...@comaxis.com wrote:
 Are there any known problems using OpenSSL with iCloud?  I am trying to
 connect to imap.mail.me.com using port 993.  My call to SSL_Connect()
 returns 0, with SSL_get_error() returing 1 (SSL_ERROR_SSL).  I am using
 OpenSSL version 1.0.1h, running on Win32.  I can use this code with any
 other IMAP server with no problems.


Are you able to connect using the openssl s_client application? I can connect 
(to port 993, no starttls) with either 1.0.1j or 0.9.8za; perhaps s_client will 
give you a more diagnostic error message if it also fails for you.


___
openssl-users mailing list
openssl-users@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

Re: OPENSSL_cleanse()

2014-10-28 Thread Wim Lewis


On Oct 23, 2014, at 10:17 PM, Vladimir Zatsepin vladimir.zatse...@gmail.com 
wrote:
 Does somebody know how OPENSSL_cleanse() works?
 I don't understand what this [17, 63, 0xF] values means. Why such values were 
 chosen?

I think it's a simplistic random number generator, like a linear congruential 
generator- it's trying to fill the buffer with random-looking data. I'm not 
sure why it's doing that instead of simply filling with a constant value, 
though. (And if super-low-quality random numbers are sufficient/desired here, 
why not just call rand() ?)

The code starting from memchr() is particularly odd.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Format of sig in EVP_SignFinal for DSA keys

2014-10-08 Thread Wim Lewis


On 6 Oct 2014, at 2:11 PM, Grahame Grieve wrote:
 I can't find any documentation as the exact format of sig produced by
 EVP_SignFinal when using a DSA key. It's 71 bytes, but 71 bytes of
 what?

Just guessing here, but there are two formats I've seen for (EC)DSA signatures. 
One of them is an ASN1 DER-encoded SEQUENCE of two INTEGERs, 'r' and 's' --- 
the X.509 Dss-Sig-Value structure. The other format is just to pad r and s to 
constant widths and concatenate them without any further headers.

The first format is more common in my experience, and 71 bytes is a reasonable 
length (32 or 33 bytes for each integer's digits including sign bit, 2 bytes 
for the DER header on each, and 2 more bytes for the SEQUENCE = 71 bytes). 
Signatures in the second format will always have an even length; signatures in 
the first format will vary by a few bytes depending on the values of r and s.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: serverFull and otherFull

2014-04-22 Thread Wim Lewis


On 21 Apr 2014, at 10:27 PM, Sri Ramya wrote:
 can any one explain me what is server full and theotherfull in openssl 
 terminology???


I think we need more context. Where are you seeing those terms?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Looking more at the Heatbleed

2014-04-10 Thread Wim Lewis


On 10 Apr 2014, at 2:02 PM, mclellan, dave wrote:
 We are looking more deeply into Heartbleed to determine the risk to our 
 proprietary, non-open application.
 1.   Background summary: Our proprietary client/server protocol is 
 protected by TLS with OpenSSL 1.0.1c and 1.0.1e.   We do not respond to http 
 or any other standard protocols.  The session initiation and RPC-like 
 communication between client and server is encapsulated inside an API library 
 which an application can’t influence directly.  Neither the physical socket 
 nor the SSL object that represents the channel is directly accessible to the 
 caller of the API library.

If a malicious client can connect and go through the TLS handshake, even if 
they never speak the inner protocol, then they are able to issue heartbeat 
requests and extract memory contents. (Or if your client can be made to connect 
to a malicious server: the server can issue heartbeat requests to the client.)

If it's impossible to make any TCP connections except through your API, then 
you're safer, because (a) no heartbeats will be sent, because nobody uses this 
feature with non-datagram TLS and (b) even if they were, a non-malformed 
heartbeat does not leak info.

But if you're using TLS at all, then presumably this is because the TCPIP 
network over which TLS is running is potentially insecure in some way (e.g., 
it's the open internet); an attacker with the ability to send packets on that 
layer could start making TLS connections and extracting data even with no 
knowledge of your proprietary protocol. If you are in a situation where you are 
only concerned about purely passive eavesdroppers on that connection, though, 
then I believe you are safe. 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL version 1.0.1g release signed with unauthorized key???

2014-04-09 Thread Wim Lewis


On 9 Apr 2014, at 4:12 PM, Jakob Bohm wrote:
 Attention: The .asc file I downloaded directly from openssl.org for the 
 1.0.1g tarball was signed with a key NOT authorized by the fingerprints.txt 
 file distributed in previous tarballs, nor by the (unverifiable) 
 fingerprints.txt available from
 
   http://www.openssl.org/docs/misc/
 
 Specifically, it was signed by a PGP key purporting to belong to Dr. Henson, 
 but with a different identifier and a different e-mail address
 than the authorized key listed for him in fingerprints.txt.
 
 I suspect this is just a mixup at your end, but one cannot feel too
 sure without a valid file signature consistent with the securely distributed 
 signature list.

I also noticed this--- previous tarballs were all signed by the F295C759 key 
(fingerprint ending in D57EE597), but this announcement and the 1.0.1g tarball 
were both signed by the FA40E9E2 key. However, the new key (all three of its 
userids) *is* signed by the old key, so there is I think some assurance that 
the new key also belongs to Dr Stephen Henson and that the release is 
legitimate.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL vs. SSH in the context of CVE 2014-0160

2014-04-08 Thread Wim Lewis


On 8 Apr 2014, at 7:14 PM, Chris Hill wrote:
 Team, I am having a discussions with a few friends about why this OpenSSL 
 vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of 
 you (apologize in advance), but can't think of any other way to prove my 
 point other than speaking to the folks who really know (that's u). Or maybe I 
 am the one wrong, wouldn't be the first time ;).
 
 A quick response to my frieds could be simply diffing the files for the 
 actual OpenSSL change, e.g. ssl/d1_both.c and ssl/t1_lib.c, but I want a more 
 classy answer. 
 
 Is the below ok or am I completely off?
 
 Thank you in advance
 
 SSH and SSL/TLS are simply different protocols (doh). They may share some 
 similar underlying crypto implementations, but as of their respective RFCs, 
 they are just different protocols. The TLS Heartbeat TLS extension would not 
 apply to SSH. SSH may have its own way to keep alive, but that would be a 
 different one.
 
 Chris.

This is correct as I understand it. ssh uses openssl mostly for crypto 
operations, but the ssh protocol does not have anything in common with ssl/tls 
(other than some fairly general design aspects). The heartbeat bug is 
particular to the openssl implementation of the heartbeat feature in tls, and 
that code isn't used by openssh.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Regarding openssl-devel

2014-03-12 Thread Wim Lewis


On 12 Mar 2014, at 4:44 AM, banupriya wrote:
 Hi All,
 
 I would like to know how different is openssl-devel from openssl098 version.
 
 Thanks in Advance,
 Banupriya K


There is a detailed changelog here:
 http://www.openssl.org/news/changelog.html

In terms of API, they are not much different; code written with 0.9.8 in mind 
will usually compile correctly with 1.0.1. They are not binary-compatible, 
though (you must recompile, not just re-link). The newer versions have 
additional ciphersuites and features but they make an effort to maintain source 
compatibility.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Openssl 0.9.8r - openssl 1.0.1e

2014-01-08 Thread Wim Lewis


On 8 Jan 2014, at 12:14 PM, Hasan, Rezaul (NSN - US/Arlington Heights) wrote:
 If I have a Linux CLIENT machine running with  openssl 0.9.8r  
 establishing  HTTPS sessions   with a Linux SERVER running openssl 1.0.1e
  
 Is there any problems I should anticipate? In other words, should those two 
 versions of openssl be able to play nicely with each other without causing 
 any undesired behavior ?  Are there any limitations that I need to be aware 
 of?

I've run programs built with earlier 0.9.8 versions talking to programs built 
with earlier 1.0.1 versions with no problems. As far as what goes across the 
network, they should be entirely compatible as long as they have some 
ciphersuites and protocol versions in common, which they normally will.

(They're not necessarily API- or binary-compatible--- that is, if you build a 
program, link it against the 0.9.8 dynamic library, and when you run it give it 
the 1.0.1 dynamic library instead, things can break. But it doesn't sound like 
that's what you're doing.)


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: tlsv1 alert unknown ca

2013-10-01 Thread Wim Lewis


On 1 Oct 2013, at 3:00 PM, Troyanker, Vlad wrote:
 PROBLEM: the server fails SSL connection with SSL_accept: tlsv1 alert unknown 
 ca
 
 The funny part I cannot even find where in source code that error (code 
 SSL_R_TLSV1_ALERT_UNKNOWN_CA) gets thrown. I am looking through 
 openssl-1.0.1e/ssl/s3_srvr.c
 
 What am I missing?

That means that the server has sent you the TLS1_AD_UNKNOWN_CA alert (see 
rfc2246 section 7.2, where it's listed as the unknown_ca alert). The 
SSL_R_foo reasons for alerts are numbered the same as the corresponding TLS 
protocol constants plus SSL_AD_REASON_OFFSET, which is 1000.

From ssl/s3_both.c, it looks like this alert is generated for either the 
X509_V_ERR_INVALID_CA or X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER errors in 
verification.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Warning for SSL_read()

2013-08-12 Thread Wim Lewis


On 12 Aug 2013, at 3:36 AM, John Selbie wrote:
 I'm upgrading a socket server written for non-blocking TCP sockets to use 
 OpenSSL in non-blocking mode.
 
 In the man page for SSL_read, the following is stated:
 
 When an SSL_read() operation has to be repeated because of 
 SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be repeated with the 
 same arguments.
 
 There is no misunderstanding of that statement. It implies that the three 
 parameters passed to this function (SSL, buffer, and length) must be the same 
 each time.
 
 But can there be an explanation for this?
 
 I have a minor concern for converting many of the existing recv() calls to 
 use SSL_read(). I can guarantee the length parameter is the same, but given 
 the behavior of the code with regards to stack variables, it would be unsafe 
 to assume that the buffer address is the same.

I wonder if that warning is erroneously duplicated from the SSL_write() man 
page. From a glance at ssl3_read_bytes(), there's no reason that SSL_read() 
should care whether the read buffer is the same each time. SSL_write() can 
care, though.

As I understand it, SSL_write()'s semantics don't really follow write()'s 
semantics unless you set the SSL_MODE_ENABLE_PARTIAL_WRITE flag. The default 
behavior of SSL_write() is that you pass the same buffer+length repeatedly and 
SSL_write() will consume parts of that buffer (maintaining a partial write 
pointer internally) until it's done. (I much prefer the PARTIAL_WRITE 
semantics. :) ) So, if you're using the non-PARTIAL_WRITE semantics, then 
SSL_write() checks that the arguments are the same on a retry, as a way of 
checking that its internal partial-write pointer is still valid.

But SSL_read()'s semantics are read()-like whether you set that flag or not, 
and it doesn't look like it maintains any internal assumptions about the read 
buffer. All it does is memcpy() from the decryption buffer into the caller's 
buffer right before returning, as you'd expect it to.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Extracting data from custom extension

2013-07-16 Thread Wim Lewis


On 15 Jul 2013, at 4:24 PM, jimits10 wrote:
 i have a custom extension with test oid 1.2.3.4.5. I try to extract the oid
 data in the following manner:
[]
 On investigating i found that ASN1 String was encoded in the form that it
 had 04 at the start to denote ASN1 coding followed by the length of the
 bytes and later my json string. However ASN!_get_object was taking 04 to be
 a tag value and stripping it off but was not stripping off the length which
 gave me a .@ extra at the start. How do i solve this problem? Is it
 necessary that ASN1 String has to have to a tag? Am I decoding the extension
 value correctly?

As I understand it, ASN1_get_object just reads the header of an arbitrary 
object, and doesn't parse the inside at all. You'd need to look at the tag to 
know how to interpret the stuff in octet_str_data. Presumably if the data is 
what you expect, it's one of the string types. I'm not sure what the easiest 
way to parse it is, maybe ASN1_item_d2i().


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl 1.0.1e Signature verification problems

2013-06-18 Thread Wim Lewis


On 14 Jun 2013, at 6:09 AM, anand rao wrote:
 I am using openssl 1.0.1e to create a CA and generate certificates.
 
 I am facing an issue while generating the device certificates.
 After creating the ca certificate using below command
 
 # openssl req -x509 -new -newkey rsa:1024 -keyout private/cakey.pem -days 
 3650 -out cacert.pem
 
 when we try to display the contents  the signature algorithm is shown as 
 itu-t instead of sha1WithRSAEncryption
 
 #openssl x509 -in cacert.pem -noout -text
 
 
 Certificate:
[...]
 Signature Algorithm: itu-t

That certainly looks wrong to me. What do you get if you run openssl asn1parse 
-i -in cacert.pem ?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Question about intermediate certificate chain

2013-05-21 Thread Wim Lewis


On 21 May 2013, at 5:02 PM, Jorge Ventura wrote:
 Because the client trust the connection when I inform the
 intermediate, I suppose the server is not sending the intermediate,
 only the first certificate in the chain and in this case the command
 fail.

That is a reasonable conclusion. You can check for sure using the -showcerts 
option to openssl s_client.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Question about intermediate certificate chain

2013-05-21 Thread Wim Lewis


On 21 May 2013, at 5:37 PM, Jorge Ventura wrote:

 Somech,
 The server side is using one .pem file like this:
 
 private key
 the certificate
 intermediate 1
 intermediate 2
 
 The intermediate 2 was signed by one root CA available at client
 side and the two intermediate was supplied by the same root authority.
 I think that I didn't forgot that.


It depends on the server, but with Apache for example, I think you need to 
explicitly specify SSLCertificateChainFile, even if that same file is also 
specified using SSLCertificateFile. 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Creating CSR with very long organizationName

2013-05-08 Thread Wim Lewis


On 8 May 2013, at 3:10 AM, Cipriano Groenendal - Byte Internet wrote:
 Hey all,
 
 I'm trying to create a CSR using a very long organizationName, but I keep 
 getting the message
 
 140605698299560:error:0D07A097:asn1 encoding 
 routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=64
 
 I've tried using a local config and in the [ req_distinguished_name ] section 
 setting organizationName_max = 128 and 0.organizationName =128, but neither 
 seem to do the trick [1]. Does anyone know a way to encode these long strings 
 into a CSR?

It looks like RFC3280 specifies that organization names not be longer than 64 
characters, and openssl is enforcing that limit. You could probably edit the 
limits in crypto/asn1/a_strnid.c and recompile, if you wanted to make a cert 
with a longer (but not PKIX conformant) name. I don't know how other software 
would react to this --- probably it would work just fine, but...


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Reading an encrypted file

2013-03-05 Thread Wim Lewis


On 5 Mar 2013, at 6:57 AM, Greg Keene wrote:
 Is there an API that will allow me to read an encrypted file directly into 
 memory?  If possible I would like to bypass decrypting the file and writing 
 it back out to the hard drive.


What format is the encrypted file in? If it's just (for example) raw AES-GMAC 
and you have the key through some other means, look at the EVP functions 
(EVP_CipherInit(), etc). If it's in a container of some kind, like CMS, there 
may be openssl functions for reading that as well. In some cases you can stream 
it using BIOs; you may have to resort to reading the encrypted file into memory 
and then decrypting it into another buffer (also in memory). There shouldn't be 
any need to write the plaintext out to disk.




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to use a binary public key

2013-01-23 Thread Wim Lewis

On Jan 23, 2013, at 1:12 PM, Tovey, Dwight (LaserJet RD FW Eng.) wrote:
 Hello all –
  
 I have a need to send a bit of RSA encrypted data to a device.  The device 
 will provide it’s public key via SNMP as 140 bytes of binary data.  I’m 
 assuming that the data is DER format, but I can’t swear to it.
[...]
 FWIW: Here is the output of ‘base64 pubkey.bin’:

Piping that to 'openssl asn1parse', it does turn out to be a DER-encoded 
SEQUENCE of two INTEGERs which look like an RSA modulus and exponent.

Most openssl commands that deal with bare public keys want a 
SubjectPublicKeyInfo structure, which is basically what you have wrapped in 
another SEQUENCE with an algorithm identifier.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: genrsa question how secure is the random creation

2012-12-11 Thread Wim Lewis


On 11 Dec 2012, at 3:27 PM, redpath wrote:
 an RSA pair is created. Its not so much I want to know how a pair is randomly 
 selected but how secure is that random selection. Random number generators 
 are a series and this selection could be followed for brute force deciphering.


I think the random number source or sources are configured when OpenSSL is 
built or in openssl.cnf. On the systems I'm familiar with, IIRC, entropy is 
obtained from /dev/*random and used to seed a CPRNG. 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How do I tell openssl where its configuration file is, without a commandline argument?

2012-11-28 Thread Wim Lewis


On 28 Nov 2012, at 12:31 PM, Ted Byers wrote:
 Is it possible to tell openssl where the configuration file is, e.g.
 by setting an environment variable, without passing a commandline
 argument?


If I remember correctly, you can set the OPENSSL_CONF environment variable to 
the path of the config file you want. The SSL_CERT_DIR and SSL_CERT_FILE 
environment variables might also be helpful (depending on what you need).



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: RSA quintuple vs. xmldsig mismatch

2012-10-29 Thread Wim Lewis


On 29 Oct 2012, at 8:44 AM, Miroslav Mikluš wrote:
 The xmldsig (http://www.w3.org/TR/xmldsig-core/#sec-RSAKeyValue)
 use the first form of RSA representation with respect to the :
 http://tools.ietf.org/html/rfc3447#section-3.2


The RSAKeyValue element contains a public key, but the quintuple representation 
is a way to represent a private key. So RSAKeyValue corresponds to (n,e) from 
RFC3447 section 3.1, not 3.2.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Digital certificate with more than 1 year validity

2012-09-18 Thread Wim Lewis


On 17 Sep 2012, at 9:13 PM, Santhosh AP wrote:
 Kindly help us to create digital certificate having more than 365 day’s 
 validity. At present we are using OpenSSL 0.9.7a Feb 19 2003 version. Kindly 
 confirm is it possible to cross the certificate validity more than 1 year, if 
 it’s possible how to do it.

I don't think there is anything preventing you from specifying a longer 
validity period, either on the command line to the 'ca' command or in the 
relevant ca section of the config file. (Some documentation says to specify it 
when creating the CSR, but this is wrong: the CSR does not carry that 
information as far as I know. The validity period is chosen by the CA when it 
creates the certificate.)

This is more of a openssl-users question than a openssl-dev question, so I've 
cc:'d that list; it's probably best if replies go there.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: What exactly does the -binary switch do when creating s/mime output?

2012-08-22 Thread Wim Lewis


On 21 Aug 2012, at 2:39 PM, Bart W Jenkins wrote:
 Given:
 
 openssl smime -binary -sign -passin pass:SomePassword -signer cert.pem 
 -inkey key.pem -in Document.txt -out Document.txt.sig -outform DER
 
 What *exactly* is done to the s/mime text to create a binary file?

Are you asking about the -binary flag to openssl smime or about the 
encoding of the encrypted/signed file?

I think the only difference -binary makes is whether the plaintext's 
line-endings are converted to/from the local convention vs. the 
network-standard CRLF. Glancing at the source code, the only things that flag 
affects are the mode argument of fopen() and an internal function that 
canonicalizes line endings (rather, if -binary is given, it does not 
canonicalize line endings).

 I'm trying to do the equivalent in Java using BouncyCastle and just can't get 
 from a text based PEM file to a binary/DER file.

That's controlled by the -outform DER flag to openssl, not -binary. PEM is 
simply base64-encoded DER with header and footer lines added; it has nothing to 
do with whether the data inside the crypto blob is binary or not.

I'm not familiar with the BouncyCastle APIs, but I'm guessing they generate DER 
internally and then convert that to PEM. If you want DER, just remove or 
disable that last conversion.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: change passphrase on CA

2012-08-21 Thread Wim Lewis


On 21 Aug 2012, at 8:03 AM, Brian J. Murrell wrote:
 I have an openssl generated CA and I want to change the passphrase on
 the CA certificate/key.  I can't seem to find any documentation on how
 to go about that.

IIRC, the newer way is to use the 'pkey' subcommand, and the older way is to 
use the subcommand corresponding to whatever kind of private key you have 
('rsa', 'dsa', maybe 'pkcs8'). I think you can just do something like

   openssl pkey -in oldkey.pem -aes256 -out newkey.pem

and it'll prompt you for the old and new passphrases.

(Or instead of -aes256 you can use any cipher from 'openssl 
list-cipher-algorithms'.)

The CA's private key is just like any other private key, so the operation isn't 
different for a CA key from (say) an SSL server's key. (The certificate is not 
encrypted, just the private key.)


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to know which curve to use for which cipher

2012-07-10 Thread Wim Lewis


(I think this is more appropriate for openssl-users than -dev, so I'm 
responding to that list.)

On 10 Jul 2012, at 8:59 AM, Sirshendu Rakshit wrote:
 My questions are:
 1) Is this a good way to know the EC_KEY using the curve-name Or there is
 some better way to know it?

If you're hardcoding a specific curve, you could presumably use the 
NID_secp224r1 (or SN_secp224r1, or OBJ_secp224r1) constants defined in the 
openssl headers.


 2) When I tried prime256v1 curve-name with the same RSA cipher it didn't
 work and I got handshake failure. Is there any relationship between ECDH*
 cipher used and the curve?

I don't think so, but it's possible that the client simply didn't support that 
curve? As I understand it, the client sends a list of curves it can accept in 
an optional ClientHello extension (rfc4492), and the server chooses a curve 
from among those and tells the client which one it chose. (Or, perhaps, it only 
negotiates the use of the ECDHE cipher suite if its chosen ephemeral key is 
based on a curve supported by the client.) The server can choose any curve that 
is acceptable to both it and the client; presumably the curve also needs to be 
large enough for DH exchange to generate a good session key. 



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Question on openssl dgst: which private key?

2012-06-26 Thread Wim Lewis


On Jun 26, 2012, at 7:20 PM, Dave Thompson wrote:
 It's probably still easier to write a small program, 
 but if you really want to do it yourself, you can see 
 the structure by asn1parse'ing an existing one, or 
 looking at the code starting with ec/ec_asn1.c . It is 
 SEQUENCE 
  version INTEGER = 1
  privatekey OCTETSTRING -- really the integer 
  parameters CONTEXT[0] CHOICE 
named_curve OID 
-- other choices not applicable
  publickey CONTEXT[1] BITSTRING 
-- contains the encoding/representation of the point 
-- there are several options for point conversion 
-- or compression apparently defined by X9.62 
-- which I don't have so you'll probably have to find a 
-- (good) reference or go through this part of the code

I had to do this fairly recently. There's probably no need to use the 
compressed point format unless you're really pressed for space. The 
uncompressed format is described by X9.62, SEC1, and/or P1353, but it boils 
down to:

   - convert Qx and Qy to unsigned integers whose width is determined by the 
size of the curve in the obvious way (e.g., for P-384, convert them into 
48-byte integers)
   - concatenate  the byte 0x04, then Qx, then Qy  (the 0x04 indicates that an 
uncompressed point follows)

then for the rest of the encoding:
   - treat the resulting byte string as a bit string and wrap it in a DER 
BITSTRING
   - wrap the result in the rest of the structure Dave Thompson describes

IIRC, neither X9.62 nor P1353 are freely available, but SEC1 is:  
 http://www.secg.org/collateral/sec1_final.pdf
and it contains enough detail to do the entire conversion, including point 
compression if you really want to. RFC 3279, RFC 5480, and RFC 2459 may also be 
useful references along with Burton S. Kaliski's Layman's Guide to [a subset 
of] ASN.1, BER, and DER, and openssl asn1parse to check whether the result 
you have constructed is parsable.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Remote access to my CA

2012-04-17 Thread Wim Lewis


On 17 Apr 2012, at 10:48 AM, Nathan Smyth wrote:
 I created a CA on my local machine (using CA.sh), which I used to develop 
 some socket-based applications. The apps access the CA using 
 SSL_CTX_load_verify_locations, with the (local) path of the CA.
 
 I'm now distributing the applications to other machines, and was wondering 
 how I can allow other machines to use my (existing, local) CA. Do I just need 
 to transfer some files to the remote machines? (is that smart?) Or is there 
 some existing service I can use to pass the data through a socket on demand? 
 I suppose there must be ways to tie this into a webserver, but I have no 
 desire to run one.

If the apps only need to be able to verify certificates issued by that CA, then 
all they need is a copy of the CA's certificate and to know that that 
certificate should be used as a trust root. (And, perhaps, access to a CRL or 
something if you want to be able to revoke certificates before they expire.) 
This is the normal way that a small CA operates.

If the apps need to be able to issue *new* certificates using the CA's 
authority, then there isn't an out-of-the-box solution that I know of, but 
mostly because that's usually not something you want to do; you usually want to 
issue an intermediate certificate to each app and allow them to issue leaves 
using that.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Remote access to my CA

2012-04-17 Thread Wim Lewis


On 17 Apr 2012, at 2:04 PM, Nathan Smyth wrote:
 If the apps only need to be able to verify certificates issued by that CA, 
 then all they need is a copy of the CA's certificate and to know that that 
 certificate should be used as a trust root. (And, perhaps, access to a CRL 
 or something if you want to be able to revoke certificates before they 
 expire.) This is the normal way that a small CA operates.
 
 Thanks for that. So in summary - each of the 'remote' machines should have a 
 copy of the CAs cert, and periodically pull down the CRL... ?

Yes --- well, I've never set up CRL distribution (or OCSP) for my local CAs but 
that's my understanding, yes.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ENGINE Structural and functional references

2012-04-04 Thread Wim Lewis


On 4 Apr 2012, at 12:10 PM, Sunjeet Singh wrote:
 If I have multiple SSL connections using an engine at the same time, IS IT 
 TRUE THAT-
 1. I should have at least one structural and one functional reference for the 
 entire duration within which the engine will be used i.e., between the calls 
 to ENGINE_by_id() and ENGINE_cleanup(). Or can the structural reference be 
 freed once a functional reference has been obtained?

The structural reference is not needed if you also have a functional reference. 
So, for example, the following is a reasonable pattern:

  get structural references for several ENGINEs
  figure out which one you want to use
  get a functional reference for that one (ENGINE_init())
  ENGINE_free all of the structural references you got, including the one for 
the ENGINE you're using
  ... do something with the ENGINE ...
  free the functional reference (ENGINE_finish())

The SSL context will take care of calling init/finish for the engine it uses, 
however. If what you are doing is calling SSL_CTX_set_client_cert_engine(), all 
you need to do is have a structural reference when you make the call; if you 
have no further need of the ENGINE you can free the structural reference 
immediately afterwards. The SSL_CTX will obtain the references it needs and 
will release them when the SSL_CTX itself is deallocated. At least, that is my 
understanding.

 2. Although various other functions like ENGINE_init(), ENGINE_set_default(), 
 etc. increase the number of structural and functional references to my engine 
 variable (as documented for each function), I should go on a free the extra 
 references and should only maintain one structural and one functional 
 reference to the engine at all times.

I don't think there is any cost to having extra references (of either kind) to 
an ENGINE, as long as all of the references are freed when you are done.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: AES-256 Implementation and OpenSSL

2012-04-02 Thread Wim Lewis


On 2 Apr 2012, at 8:09 AM, Theodore Tolstoy wrote:
 It seems to implement AES-{128,192,256} ECB mode of
 encryption/decryption(?). Am I wrong?
 
 Is it possible to use OpenSSL to achieve equivalent results?


Yes. The low-level openssl AES implementation (AES_ecb_encrypt(), etc.) is 
available (see openssl/aes.h for the function declarations), but in most cases 
it is better to use the EVP_* interface, which provides a uniform interface to 
all of the crypto algorithms.

Here's a blog post with some sample code doing AES encryption with the EVP 
interface:
   http://saju.net.in/blog/?p=36

It doesn't look like the low level AES functions have a man page, but their API 
is similar to Blowfish's (see the man page for BF_encrypt(), etc.).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: missing symbols when building openssl1.0.0g as static library..

2012-02-28 Thread Wim Lewis


On 28 Feb 2012, at 9:57 AM, JonathonS wrote:
 Here is the command I used to build openssl:
 
 ./Configure --prefix=/home/user/openssl_release
 --openssldir=/home/user/openssl_release no-asm threads zlib shared
 linux-x86_64
 
 After the binaries have been built, it produces libcrypto.a and
 libssl.a.  When I try to link against it, I get a bunch of missing
 symbols -- *some* are listed below.  There are a lot more.


What is the command line you are using when you link against openssl? Are the 
static libraries listed after all of the objects that reference things in them?

Check whether the symbols are actually defined in the static libraries--- eg., 
nm libcrypto.a | fgrep SSLv23_client_method (there should be several 
'U'ndefined references and one defined reference to that symbol).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: missing symbols when building openssl1.0.0g as static library..

2012-02-28 Thread Wim Lewis


On 28 Feb 2012, at 5:15 PM, JonathonS wrote:
 Thanks guys. Sorry for the confusion.  I thought U meant undefined
 and T meant it *belongs* in the text section, NOT that it actually
 *exists* in the text section :)
 
 Here is my linker command.
 
 g++ -g -o unit_tests unit_tests.o -L/home/user/build/openssl/debug/lib
 -lcrypto -lssl --L/home/user/build/libcurl/debug/lib -lcurl -ldl
 -lstdc++ -lpthread -lrt -lz -lstdc++
 
 When I built libcurl, I specified the --with-ssl=/.../ flag to point
 to my openssl build.

Try putting -lssl after -lcurl, and -lcrypto after -lssl, on the linker command 
line. Unlike dynamic libraries, the linker only uses the objects from a static 
library that it needs in order to satisfy all the undefined symbols; and the 
normal behavior of 'ld' is to make one pass through its arguments, in order, 
pulling in whatever's needed from each one at the time. At the time it's 
linking things from libcrypto.a in your example it hasn't yet looked at libssl 
or libcurl.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: weak key check?

2012-02-20 Thread Wim Lewis


On Feb 17, 2012, at 5:05 PM, anthony berglas wrote:
 Taking a different slant, is it possible to provide the Entropy using a 
 pass phrase.  So a given pass phrase will always generate the same key pair.  
 This means that for simple applications no key store is required.  Much like 
 password based (symmetric) encryption.
 
 Any ideas as to how hard that would be to do with Open SSL?  Has anyone else 
 done it?


I dimly remember seeing schemes and specifications for doing roughly that, 
although I can't find a reference for one offhand[1]. All the entropy is 
provided upfront and the secret key parameters are derived from it in a 
well-defined deterministic way. AIUI the intent is to allow the RNG and PKC 
implementations to be validated independently (with published test vectors for 
the deterministic key-generation step) but presumably you could use it to 
derive RSA keys from a password as well.

(I might be remembering DSA key generation; the secret parameter of a DSA key 
doesn't have to have special properties, so you could if you wanted simply use 
the output of a PBKDF-like algorithm there?)

 My question is, has this been done, or would it be easy to do given the 
 existing structure.

I don't think it would be hard to do; OpenSSL's rsa_builtin_keygen() is pretty 
straightforward and I don't think it relies on any internals not exposed to 
users of the library. You could write a version of it that calls an equivalent 
of BN_generate_prime_ex() that works deterministically based on the passphrase.

Like others, I'm skeptical that this is actually a good idea, but I could be 
wrong...

[1] Some places suggest that X9.31 and/or X9.44 might contain deterministic 
algorithms for RSA secret key generation in their appendices, but I don't have 
easy access to those.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

On Feb 20, 2012, at 8:38 AM, Jakob Bohm wrote:
On 2/17/2012 10:16 PM, Wim Lewis wrote:
Even aside from TPM or other HSMs, hardware random number generators have
been a common feature of PC motherboard chipsets for a decade or so. I
assume, perhaps optimistically, that the /dev/?random devices that modern
OSs provide make use of these RNGs as well as other system entropy sources
(interrupt timing and so on).
Unfortunately not! []

How disappointing. :( Good to know, though.

Some [low-entropy keys] could also be from the Debian/Ubuntu bug I mentioned
in an earlier post.

The paper mentions that they found some keys that were on the Debian/Ubuntu
blacklist, but it sounds like these do not account for the weak keys they
found: 21419 X.509 certificates and PGP keys are affected [factorable due to
shared factors]. Note that affected moduli are much more frequently shared than
non-affected ones. None of the affected moduli are blacklisted. (With more
data, that number went up to 26965.)

Their other numbers: 30099 n-values were found on the Debian/Ubuntu blacklist,
but only 2 immediately factorable; 71024 n-values are shared by more than one
certificate, but many of those instances are intentional/benign.

Nadia Heninger has a post on Freedom-to-Tinker (
https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
). She's not one of the authors of the Lenstra paper but is part of a
different group that was doing similar research and finding similar results.
From that post:

this problem mainly affects various kinds of embedded devices such as routers
and VPN devices, not full-blown web servers. []

So which systems are vulnerable? Almost all of the vulnerable keys were
generated by and are used to secure embedded hardware devices such as routers
and firewalls, not to secure popular web sites such as your bank or email
provider. Only one of the factorable SSL keys was signed by a trusted
certificate authority and it has already expired. []

Embedded devices are well known to have entropy problems. However, until now
it wasn't apparent how widespread these problems were in real,
Internet-connected devices.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org

Re: weak key check?

2012-02-17 Thread Wim Lewis


On Feb 16, 2012, at 9:22 AM, Kenneth Goldman wrote:
 Many laptops and desktops and some servers now come with a TPM chip, 
 a free source of hardware random numbers. 

Even aside from TPM or other HSMs, hardware random number generators have been 
a common feature of PC motherboard chipsets for a decade or so. I assume, 
perhaps optimistically, that the /dev/?random devices that modern OSs provide 
make use of these RNGs as well as other system entropy sources (interrupt 
timing and so on).

It sounds like most of the low-entropy keys discovered by Lenstra+co belong not 
to desktop/server machines but to embedded devices such as firewalls or VPN 
boxes; it's easy to imagine that such a device, without a hardware RNG and 
generating its secret key immediately after its first boot, fresh from factory 
initialization, could have a hard time getting enough entropy.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: About the usage of SSL_get_ex_new_index

2012-02-08 Thread Wim Lewis


On 7 Feb 2012, at 8:50 AM, Bruce (Riji) Cai wrote:
 Hi all,
  
 From man page of SSL_CTX_set_verify, I saw this example snippet:
  
   /*** snippet begin */
  ...
  
 mydata_t mydata;
  
 ...
 mydata_index = SSL_get_ex_new_index(0, mydata index, NULL, NULL, 
 NULL);
  
 ...
 SSL_set_ex_data(ssl, mydata_index, mydata);
  
 /*** snippet end */
 My questions are:
  
 1. Why it gets index from a global instead of from the specific ssl session 
 context?

Even though each SSL session will have its own data, the types of data stored 
will probably be the same (or mostly the same) for all the SSL sessions in the 
process. So the indexes are allocated globally; once you get an index, you can 
use that index to store your data in *any* SSL session. Usually 
get_ex_new_index() is called during startup and the index is stored in a 
variable that is private to the code that is using it.

 2. This returned index increased for each time even for different ssl 
 connection, I don’t know why, though I saw some comments in manpage of 
 RSA_get_ex_new_index, saying “Each successful call to RSA_get_ex_new_index() 
 will return an index greater than any previously returned, this is important 
 because the optional functions are called in order of increasing index  
 value.” But I  can’t understand why “this is important”.

I think it is only important if it matters to you what order the optional 
functions are called. For example, maybe your new_func or dup_func relies 
indirectly on data which is stored under another index. In your example you are 
passing NULL for all three optional functions so it doesn't matter for you.

 3.  If I have multiple simultaneous ssl connections, for each connection, can 
 I  NOT call SSL_get_ex_new_index, and store my private data by directly 
 writing to index 0 position, e.g. SSL_set_ex_data(ssl, 0, mydata) ? Then I 
 get back the data in by calling mydata = SSL_get_ex_data(ssl,0).

The important thing is not to use the same index as any other code. 
get_ex_new_index() returns a new, different index every time it is called. If 
you get an index from it, then you know that you own that slot in the array, 
and nobody else should be storing their private data in that slot.

Here is an old posting to the mailing list explaining the ex_index stuff in a 
different way; perhaps it will be clearer:
   http://www.mail-archive.com/openssl-users@openssl.org/msg52322.html


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl and SHA256

2012-01-18 Thread Wim Lewis


On Jan 18, 2012, at 11:47 AM, Scott Wilson wrote:
 Does openssl support SHA256?

Yes, it does. I'm not sure why it doesn't show up in the output of 
list-message-digest-commands or the usage message, but openssl sha256 will 
compute a SHA256 digest, and openssl dgst --help lists it.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Difference b/w TLS Connection and TLS Session

2011-11-04 Thread Wim Lewis


On 4 Nov 2011, at 7:12 AM, Mr.Rout wrote:
 Can  any body please let me know what is the difference between TLS
 Connection and TLS Session ?

If a client makes a connection to a server it has previously connected to, it 
can re-use the cryptographic parameters (such as the initial session key / 
master secret) from its last connection instead of negotiating them again. 
This is session resumption; see the section RFC2246 that Richard Könning 
referred to.

 How many TLS Session would be there in one TLS Connection? For each TCP 
 connection how many TLS Connection and TLS Session would be there ?

Each TCP connection only has one TLS connection, and each TLS connection only 
has one TLS session. However, later connections can re-use (resume) an earlier 
session for efficiency. The PKC operations to establish a shared session key 
only have to be done once, when the session is first created.

On 4 Nov 2011, at 9:44 AM, Mr.Rout wrote:
 I am seeing  that for one TCP connection my TLS client is doing 4
 handshakes. I don't know what is the reason for this. 
 But when i  see the packet capture i see TLSv1: [TCP Previous segment lost]
 Ignored Unknown  TLSv1: Encrypted Alert. 

I don't know what's happening in that packet trace. Is it possible that the 
connection is being dropped and the client is reconnecting (resulting in a new 
client hello, etc., as it sets up the new TLS connection for the new TCP 
connection)? If the number in parentheses is the client's port number, then 
that's what's happening.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: strong TLS connections

2011-10-26 Thread Wim Lewis


On 7 Oct 2011, at 7:40 PM, Kristen J. Webb wrote:
 I'm exploring the security of TLS for TCP/IP connections.
 I would like to establish TLS connections using server certificates
 (managing client certs via external or internal PKI is painful).
 My understanding is that a TLS connection with a server cert
 only identifies the server to the client.  This leads to a MiTM
 attack, where the mitm can impersonate the client because the server
 has not verified the client.
 
 My question is, if multiple servers are used, can this attack
 (and possibly others) be avoided?
 
 Example:
 initiate_server: TLS connect with client
 initiate_server: send encrypted data over TLS to client (including 
 target_server:port)
 initiate server: TLS connect with target_server
 initiate_server: send encrypted data over TLS to target_server (including 
 listen port, client, etc)
 client: attempt TLS connection to target_server:port
 target_server: accept TLS connection from client
 client/target_server: verify additional encrypted data (from initiate_server)
 to establish a connection

If I understand this, you're trying to use 'initiate_server' to introduce the 
other two machines to each other, and relying on those two machines' server 
certificates to allow initiate_server to verify that it's talking to the right 
machine?

I see two problems with this. One is that initiate_server isn't authenticated 
to the other machines--- evil_server could connect to target_server, give it 
fake encrypted data and client info, and then impersonate the client.

The other problem is that this isn't really avoiding having a certificate on 
the client machine. If you have a trustowrthy certificate on client, which 
initiate_server can use to authenticate the connection, why not use that 
certificate as a client certificate when client connects to target_server (and 
eliminate the role of initiate_server entirely)?

Apologies if I don't understand your original motivation, but I don't see how 
the introducer scheme helps you any.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Open SSL API's Support For IPv6.

2011-09-21 Thread Wim Lewis


On 21 Sep 2011, at 6:17 AM, Akanksha Shukla wrote:
 Currently we are using OpenSSL 0.9.8 version. I have question about few of
 the API's support for IPV6.
 
 1) BIO_new_connect()
[...]
 
 Queries :
 1) Do the above mentioned API's support IPv6?

I don't think so. BIO_new_connect() (and BIO_get_host_ip() which it calls) only 
deal in IPv4 addresses.

As far as I know, though, you should be able to make an IPv6 socket connection 
yourself, pass it to BIO_new_socket(), and have it work. It's just the 
hostname/address lookup that is address-family specific. (Oddly, the server 
side of things (accept() etc.) seems to have been extended to support IPv6 
already.)


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Help compiling,assembling and linking RC4 code.

2011-08-22 Thread Wim Lewis


On 19 Aug 2011, at 4:08 AM, rastir...@rastirrat.force9.co.uk wrote:
 What I am try to do is build the assembly language version of RC4.  So far
 I have been able to create the rc4-586.asm file by running the rc4-586.pl
 script.
 
 I specifically want to run rc4speed and rc4test but using the rc4-586
 assembler code.
 
 I have tried assembling this file using nasm but I get raft of errors.
 Which C compiler do you recommend?

The rc4-586.pl script will produce output with different syntax for different 
assemblers depending on how it's invoked. Could that be the problem? I assume 
you'd want the 'win32' target.




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Usage of macro OPENSSL_NO_STDIO

2011-08-17 Thread Wim Lewis


On 17 Aug 2011, at 7:36 AM, Kchitiz Saxena wrote:
 Can somebody briefly explain the use of macro OPENSSL_NO_STDIO. There are few 
 functions like SSL_CTX_use_certificate_file() which are defined only if this 
 macro is not defined. What is the functionality which is derived out of this 
 macro definition. In short, what I get/loose if I define this macro while 
 compiling this macro.

It removes functions which depend on the stdio functions (defined in stdio.h, 
which perform I/O using the FILE * type). I assume this is useful when openssl 
is being compiled for use in an embedded environment or other special situation 
where stdio is not available.

I think it's not a macro that users of openssl are expected to define; instead, 
it's defined when openssl is configured, and users of the library can check 
whether it's defined in openssl's headers (probably via opensslconf.h).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Bug in OpenSSL 0.9.8e

2011-07-27 Thread Wim Lewis


On 20 Jul 2011, at 2:25 AM, Vinay Kumar wrote:
 Hi All,
 
 I am using OpenSSL OpenSSL 0.9.8e. The OpenSSL function  sometimes 
 sha1_block_host_order () crashes on Linux. Is there any fix available for 
 this issue or what are the modifications need to be done? Please guide me.
 
 The core back trace is as follows:
 Program terminated with signal 11, Segmentation fault.
 #0  0x00560670 in sha1_block_host_order ()
 (gdb) bt
 #0  0x00560670 in sha1_block_host_order ()
 #1  0x005605a4 in sha1_block_host_order ()
[etc]


Unfortunately the hand-optimized assembly SHA1 implementation tends to confuse 
debuggers; only the first stack frame of that backtrace is likely accurate, so 
it's hard to tell where the fault is. Presumably the SHA1 function was either 
passed a NULL buffer, an invalid buffer, or an invalid buffer length, due to a 
bug in some code that calls it.

You could try examining the machine instruction at which it crashed (x/i $pc 
in gdb); it is presumably reading from memory via a register. Examine the 
registers (inf reg in gdb) to see whether it was dereferencing address 0 
(null pointer) or some other wild address (bad pointer or bad buffer length). 
With luck this will give you an idea what to look for next.

You could also try recompiling openssl in a more debuggable form (disabling the 
optimized assembly).

(The patches I submitted to Openssl RT ticket #2562 a couple of weeks ago make 
this problem less severe but they haven't been incorporated into openssl.)


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Simple question: Maximum length of PEM file?

2011-07-27 Thread Wim Lewis


On 26 Jul 2011, at 10:16 PM, Katif wrote:
 Can you tell me what are the application dependency factor here so we'll be
 able to chase a limit? 
 
 It is used as an RSA key exchange certification/private key pairing.
 
 Thanks...


The two things that are variable size are the key material itself, and the many 
fields that can occur in a certificate. A private key file just has key 
material, so its size should be proportional to the key size in bits (plus 
constant overhead); a certificate has key material for the key it represents, a 
signature from the issuer's key (which may have a size dependent on that key's 
size), and an arbitrary collection of other data that can be incorporated into 
the certificate when it's created (such as the name or address of the subject, 
or a list of permitted/forbidden uses, CRL distribution points, legal 
boilerplate, etc). I don't think there's any limit to the amount of extension 
data that can be included in a certificate, though in practice it's rarely more 
than a few kilobytes.

I'd suggest parsing a handful of files using openssl asn1parse to get an idea 
of what's in there and how large each thing is. The sizes and offsets that 
asn1parse gives you refer to the DER-encoded file; a PEM-encoded file has four 
bytes for every three of DER, plus another few percent overhead for line 
endings.

As Kenneth Goldman says, though, you need to consider what will happen when you 
encounter a certificate larger than you expect, because it *will* happen.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Handshake question

2011-07-27 Thread Wim Lewis


On 27 Jul 2011, at 1:52 PM, castre...@gmail.com wrote:
 Using memory buffers and blocking IO. 
 
 I begin the handshake by the client intiating hello message. 
 The server reads message, and data is put in its ssl output. This is sent 
 back to client. 
 The client read the data ( SSL_read) and data it populated in the ssl output. 
 This is sent back to the server. ( it is waiting for more input from server) 
 The server reads the data (SSL_read) and nothing is generated in outbut 
 it is waiting for more information from client. 

The handshake requires several messages to be sent back and forth. The server 
has sent another message to the client at this point and is waiting for a 
response to that message. Has that message been delivered to the client?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Handshake question

2011-07-27 Thread Wim Lewis


On 27 Jul 2011, at 4:37 PM, castre...@gmail.com wrote:
 There is no data to send to the client ( I have checked the BIO out and there 
 is no pending data to send out). 
 This is my main problem. 
 
 When I check the clients state using SSL_state_string from the last read it 
 returns UNKWN. 
 
 
 I went ahead and did some changes just to seem if I could shake things up. 
 Originally I had my context set to server = method_sslv3_tlsv1, client 
 =method_tlsv1 
 
 But then I changed it to 
 server = method_sslv3 
 client = method_sslv3 
 
 As I ran this the server came up with the following error on a SSL_read: 
 
 0x101069c0 error:140A1159:SSL routines:SSL_BYTES_TO_CIPHER_LIST:scsv 
 received when renegotiatingchar * 
 
 The data the server was reading, the response from the client. The client had 
 sent a hello, the server sent a response to that, 
 in which the client sent a response and then the server errored. 
 
 What does this error mean. 
 Again, could there be somthing wrong with my certificates. On the server side 
 i load the server cert( PEM) and the private key. 
 ON the client side I just load the CA cert. 


Hmmm. In that case, I don't know what the problem is. I've cc'd this back to 
the openssl-users list in case it gives someone else an idea.

scsv received when renegotiating sounds like it's related to the RFC-5746 
renegotiation-attack prevention stuff, which I don't know much about.

 Thanks for your response..I am very confused. 
 Does the Oriely book for OpenSSL have good information?? 


I haven't read it. :) SSL and OpenSSL can be pretty confusing, good luck.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_read returns SSL_ERROR_WANT_READ

2011-07-12 Thread Wim Lewis


On 11 Jul 2011, at 3:18 PM, Carla Strembicke wrote:
 The server recieves the  encrypted data and  sends to the lower level and 
 where it is pumped into the SSL structure ( which is using these memory 
 buffers) using the BIO_write call ( I acutally see that bytes are written 
 into it) and the buffer looks good.  I then go and do an SSL_read() and I get 
 nothing except  SSL_ERRO_WANT_READ. I do see that a session has been 
 established and that the packet member actually contains the data I want 
 access tobut the member state=8576 and rstate=240. 
  
 What am I missing
 Is it somthing to do this the handshake that I am missing or the readinf of 
 the data.

During the initial handshake (and a few other times) the two ends of the 
connection will need to send several messages back and forth before any 
cleartext data appears. Is it possible that the client or server has written a 
message to the buffer, and is returning SSL_WANT_READ because it is waiting for 
a response from the other side? Are you checking for data written to your _out 
BIO and copying it to the socket even when you are reading? See:
   http://www.openssl.org/support/faq.html#PROG10

If you look in ssl.h/ssl2.h/ssl3.h you can decode the state values (or use 
SSL_state_string_long()) to describe the connection's current state:
   8576 = 0x2180 = SSL_ST_ACCEPT|SSL3_ST_SR_CERT_A

which is part of the connection setup still, I think.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Updating code using ASN1_HEADER

2011-07-07 Thread Wim Lewis


On Jun 29, 2011, at 5:22 AM, Kenneth Porter wrote:
 I need to update an old piece of code written for 0.9.7 that uses the 
 obsolete ASN1_HEADER struct as part of importing a Netscape certificate  [...]

It looks like that piece of code was adapted from load_cert() in openssl's 
apps.c. Try looking in the current version of apps.c and re-adapting what you 
find there--- I know nothing about the Netscape cert format (is it still used 
anywhere?) but it seems to simply be an OCTET_STRING containing a magic value 
(the text certificate), followed by a normal X509 structure; and there's an 
{i2d,d2i,etc}_NETSCAPE_X509() in libcrypto now to handle it.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Need to extract the checksum from a signature

2011-07-05 Thread Wim Lewis


On 4 Jul 2011, at 7:47 AM, Roland Flury wrote:
 At the moment I use the PHP function openssl_pkcs7_verify() to verify 
 the signature (I also could use the openssl command line tool with a 
 system command). But verify is not enough, because I need to send back 
 the digest.
 
 Is there any way to extract the digest from the signature. I couldn't
 find a solution for that after hours of searching the internet an all
 my encryption books.

Not using the command-line tools, I think. You could write a simple C program 
to parse the signature (d2i_PKCS7_fp()) and look through the authenticated 
attributes of the PKCS7_SIGNER_INFO structures for a pkcs-9-at-messageDigest 
attribute. It's optional, but I think most signing tools include it. See 
RFC2318 (PKCS#7, which S/MIME uses) and RFC2985 (PKCS#9).

Alternately you could just compute the message digest a second time.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Reliable identification by DN (or something else) for commercially-signed certs?

2011-06-29 Thread Wim Lewis


On 26 Jun 2011, at 11:39 AM, Leo Richard Comerford wrote:
 What should I use to whitelist certificates by? Specifically, what can
 I whitelist on to prevent false positives? For example, the obvious
 thing seems to be Distinguished Name. But can I safely assume that any
 two certificates issued by a big-name commercial CA to two different
 entities will have different (full) DNs?

I would hope so--- but like you I have little confidence in the CAs being 
relied on to do the right thing.

What about using the subjectPublicKeyInfo, or a hash of that? This has some 
pluses and minuses:
   1. False positives shouldn't be a problem; if two users have the same 
subjectPublicKeyInfo they functionally have the same key.
   2. You don't need to rely on the CA getting anything right. You'd not be 
using the PKI at all.
   3. If a user switches to a new key, they can't just get a certificate for 
the new key and keep going--- they'll need to go through the process of putting 
their new key on your whitelist as well. (But you could fallback to relying on 
the CA for this.)



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: problem with EVP_DecryptFinal_ex function

2011-06-22 Thread Wim Lewis


On 22 Jun 2011, at 5:46 AM, Damir Musulin wrote:
 I have created a decrypt function and it fails (how wonderful)
 
 The problem lies in the EVP_DecryptFinal_ex.
 I have made use of the ERR_print_errors_fp(stderr); option to see what
 is wrong but it is quite
 a cryptic message:
 2621:error:0606506D:lib(6):func(101):reason(109):evp_enc.c:323:

I think you will get less-cryptic error messages if you put a  call to 
ERR_load_crypto_strings() near the beginning of your program:

   http://www.openssl.org/docs/crypto/ERR_load_crypto_strings.html

Alternatively, you can look up what reason #109 is in your headers (I think 
it's EVP_R_WRONG_FINAL_BLOCK_LENGTH), or look at line 323 of your version of 
evp.c to see what error condition it's testing there.

As for your actual error, I don't know the cause, but I notice you're giving 
zero bytes of input to the decryption function--- this may make some padding 
modes unhappy:

   http://en.wikipedia.org/wiki/Padding_(cryptography)#CBC_mode


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Replacement of functions that operate with sockets

2011-06-15 Thread Wim Lewis


On 15 Jun 2011, at 11:57 AM, ml.vladimbe...@gmail.com wrote:
 Whether is it possible to implement? I have read in the documentation about 
 BIO-functions, and could not understand  is it possible to implement or not.
 Thanks for any help or suggestions.

Yes, this is possible. It is asked on this mailing list every now and then, I 
guess there should be better documentation or an example of using OpenSSL in 
this way.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread Wim Lewis


On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote:
 Anyone any comments on this. Is openssl appropriate choice for my case?

As I understand it you want OpenSSL to handle the protocol and encryption, but 
you don't want OpenSSL to do any network I/O itself: you want to do that (via 
the C# sockets class).

An example of using OpenSSL in this way is in 
demos/state_machine/state_machine.c in the OpenSSL distribution. As David 
Schwartz says, the important thing is not to assume that reads and writes of 
your data correspond directly to reads and writes on the socket. SSL may need 
to perform multiple reads and writes before you see any data (for example, 
during a handshake or renegotiation).

state_machine.c uses memory BIOs to buffer data going in and out of SSL. I 
think a better way to do it in current versions of OpenSSL is to make your own, 
nonblocking BIO which calls into your C# code as needed. But I could be wrong.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Clients glomming onto a listener

2011-05-10 Thread Wim Lewis


On 10 May 2011, at 4:13 PM, David Schwartz wrote:
 On 5/10/2011 2:10 AM, John Hollingum wrote:
 Pretty much immediately after the accept the program forks a handler,
 but the rogue clients must be glomming onto the main process before the
 SSL negotiation is complete.
 
 Calling 'fork' with an accepted SSL connection has all kinds of known issues. 
 The fundamental problem is that there are many operations that must occur 
 both before and after the 'fork', for different reasons, and obviously can't 
 do both.

You could accept just the TCP connection in the main process and do all of the 
SSL handshake in the forked process (I think IO::Socket::SSL-start_SSL() is 
what you want for that) --- this would not be a high-performance approach (no 
SSL session cache, fork overhead) but if it's fast enough it's fast enough.

It's possible to use openssl in a non-blocking, event-driven manner but I don't 
think Perl's SSL modules expose enough of the openssl API to do that.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Conversion of RSA Encrypted message to Base64 format !!!

2011-04-20 Thread Wim Lewis


On 20 Apr 2011, at 3:01 AM, pattabi raman wrote:
 How can I use the funtion BIO_new_fp(stdout, BIO_NOCLOSE) to print the 
 value to another character array instead of stdout? If not this, which Bio_ 
 function I can use so that it will convert to Base64 and put it in char 
 buffer ?? 

I think you want to use a memory BIO, e.g. BIO_new(BIO_s_mem()).

If your C library has the funopen() call, you could use that to write to a 
memory buffer using BIO_new_fp(), but that seems silly. :)


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How is MD5 fingerprint on X509 created?

2011-04-19 Thread Wim Lewis


On 19 Apr 2011, at 10:55 AM, Matt C wrote:
 Should I be hashing the entire contents of the PEM file, only part, or is 
 there additional data I need to add?

The fingerprint that openssl computes is the hash of the entire certificate in 
DER format. You should be able to recover the DER-formatted certificate by 
base64-decoding the block of text between the BEGIN/END lines in the 
PEM-formatted certifcate.

There are other hashes of various parts of the certificate, used for other 
things, but if you're trying to duplicate what openssl -fingerprint is doing, 
that's how.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Verify signed text

2011-03-30 Thread Wim Lewis


On 30 Mar 2011, at 9:59 AM, luis hernandez wrote:
 i get a file with a signed base64 string produced using the following 
 commands:
  
 openssl dgs -md5 -sign key.pem stringtosign.txt | openssl enc -base64 -A  
 signedbase64string.txt
  
 that signed string is part of a text file that includes the certificate in 
 pem format without the public key. 
 from that file i can get the original stringtosign.txt but because the key 
 belongs to the owner and i can not have it. 
 is it possible to verify that the signedbase64string is correct only with the 
 information i have?

The certificate contains the public part of the key (as well as some other 
information), which allows you to verify the signature. I think the -verify 
argument to dgst will do what you want.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: DH: safe prime issue

2011-03-30 Thread Wim Lewis

On 30 Mar 2011, at 6:19 AM, ikuzar wrote:
 I 'd like to know if it is a security issue when p ( a DH param ) is not a 
 safe prime ?
 is it more easier to attack DH algorithm with a non safe prime ... ?

Yes. If p-1 does not have large factors, then it is easier to compute the 
discrete logarithm and recover the message. See:

  C.H. Lim and P.J. Lee, A key recovery attack on discrete log-based schemes 
using a prime order subgroup
  http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.5296

  R. Zuccherato, Methods for Avoiding the Small-Subgroup Attacks on the 
Diffie-Hellman Key Agreement Method for S/MIME
  http://tools.ietf.org/rfc/rfc2785.txt

  And Wikipedia on safe primes ( http://en.wikipedia.org/wiki/Safe_prime ):
 Safe primes are also important in cryptography because of their use in 
 discrete logarithm-based techniques like Diffie-Hellman key exchange. If 2p + 
 1 is a safe prime, the multiplicative group of numbers modulo 2p + 1 has a 
 subgroup of large prime order. It is usually this prime-order subgroup that 
 is desirable, and the reason for using safe primes is so that the modulus is 
 as small as possible relative to p.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Verify signed text

2011-03-30 Thread Wim Lewis


On 30 Mar 2011, at 12:02 PM, luis hernandez wrote:
 Thanks Wim,
  
 i know that cer pem files have the public key in it like:
  
 -BEGIN PUBLIC KEY-
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD0ltQNthUNUfzq0t1GpIyapjz...
 -END PUBLIC KEY-
 -BEGIN CERTIFICATE-
 MIIE/TCCA+WgAwIBAgIUMzAwMDEwMDAwMDAxMDAwMDA4MDAwDQYJKoZIhvcNAQEF...
 -END CERTIFICATE-
  
 but what i receive is:
 signedstring:ki987jjhfw84hf7ewh9f497fe9hihfw87yr79g23hfd937f237fg327f2...
 certificate:MIIE/TCCA+WgAwIBAgIUMzAwMDEwMDAwMDAxMDAwMDA4MDAwDQYJKoZIhvcNAQEF...
 some other data...
  
 so from that can i verify the signed string?


You should be able to either base64-decode the certificate text to get a 
certificate in DER format, or you could surround it by BEGIN/END CERTIFICATE 
lines to get a certificate in PEM format.


Even though your .cer files have both a PUBLIC KEY blob and a CERTIFICATE blob, 
the certificate blob includes all the public-key information needed to verify a 
message. In effect, a certificate is a copy of your public key that's been 
signed by the certificate authority.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: default certs path not used

2011-02-05 Thread Wim Lewis


On Feb 4, 2011, at 2:08 PM, Kārlis Repsons wrote:
 perhaps there is someone out there, who knows why openssl doesn't seem
 to look for certs in /etc/ssl/certs as indicated in openssl.cnf:
 
 [ ca ]
 default_ca  = CA_default# The default ca section
 
 [ CA_default ]
 dir = /etc/ssl  # Where everything is kept
 certs   = $dir/certs# Where the issued certs are

I may be wrong ... but I think the [ ca ] and [ CA_default ] sections only 
apply to the openssl ca command, not to arbitrary SSL connections. I think the 
certs dir is hardcoded at compile time (X509_CERT_DIR in crypto/cryptlib.h) or 
is read from the $SSL_CERT_DIR environment variable. openssl version -d will 
tell you the directory.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How does privatekey ever get defined?

2010-11-01 Thread Wim Lewis


On 1 Nov 2010, at 12:05 PM, Eichenberger, John wrote:
 I am planning on adding code to call SSL_CTX_use_PrivateKey.  I do not
 have a key file to supply, so I cannot use SSL_CTX_use_PrivateKey_file.
 
 However, I thought I would ask about this because I've reviewed the code
 for both of those procedures and still see no place where the privatekey
 member variable would be defined.  So it seems like a useless endeavor.


It looks like:  SSL_CTX_use_PrivateKey_file() calls SSL_CTX_use_PrivateKey()
   SSL_CTX_use_PrivateKey() calls the internal function ssl_set_pkey()
   ssl_set_pkey() assigns to the 'privatekey' member of the CERT structure.

ssl_set_pkey() actually assigns to cert-pkeys[...].privatekey, and then points 
cert-key to the specific pkeys[] entry. The comment on the declaration for 
cert-key says:

  /* ALWAYS points to an element of the pkeys array
   * Probably it would make more sense to store
   * an index, not a pointer. */


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How can I load a PEM key stored in a string instead from a file?

2010-10-26 Thread Wim Lewis

PEM_read_PrivateKey() is a wrapper around PEM_ASN1_read() (which reads an 
arbitrary ASN.1 object from a PEM-encoded blob) and d2i_PrivateKey() (which 
knows how to read a private key blob specifically).

PEM_ASN1_read() simply creates a BIO from the FILE* that you give it, and calls 
PEM_ASN1_read_bio(). If you want, you can instead create a BIO from your string 
using something like BIO_new_mem_buf() and call PEM_ASN1_read_bio() yourself. 
(A BIO is an openssl object that's like a more general-purpose FILE*.)

BTW, if your keys are stored in a database, there's probably no need for them 
to be PEM-encoded; you can save a bit of space and time by storing them in DER 
format and calling d2i_PrivateKey() directly. (PEM format is more or less just 
base64-encoded DER.) There's a FAQ entry on this:
http://www.openssl.org/support/faq.html#PROG3



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Openssl certificate date issue

2010-10-13 Thread Wim Lewis


On 12 Oct 2010, at 11:48 PM, Vinay Kumar L wrote:
 I am trying to generate certificate which is valid for 20years. As the 
 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current 
 date, openssl certificate generated will have wrong dates

My understanding is that this is fixed in openssl 1.0.0, but not in 0.9.x. I 
couldn't find a pr for it, although it has come up on this mailing list a few 
times.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Code Sample | Download Certificate

2010-09-15 Thread Wim Lewis


On Sep 15, 2010, at 6:24 AM, Ranjith Venkatesh wrote:
 Is it possible to download a certificate given the website eg: 
 https://domainX.com using openssl functions?
 If yes, what are relevant functions and relevant code samples?

It's possible to do this using openssl s_client -showcerts. You can see an 
example if you look at the source of the s_client command (apps/s_client.c) --- 
call SSL_get_peer_certificate() or SSL_get_peer_cert_chain(), then do what you 
want with the returned cert (e.g. PEM_write_bio_X509()).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Basics concepts about openssl+rsa

2010-08-17 Thread Wim Lewis


On Aug 17, 2010, at 12:37 PM, Leandro Santiago wrote:
 It's really a basic doubt: How can I parse a file with the public key
 to a struct which I can use to encrypt the string. Maybe just a
 simple_example.c... :-) And also an example about decrypt using the
 private key, of course :-)
 
 I'm reading this page:
 http://www.openssl.org/docs/crypto/rsa.html
 but manuals aren't good to a beginner :-)

Yes, it's pretty hard to get oriented when starting to use openssl.

It's usually easier to avoid the lowest-level RSA_foo() functions in favor of 
the slightly more abstract EVP_(PKEY_)foo() functions. (This also lets you 
switch algorithms etc. later without rewriting everything.)

IIRC, what you need to do is load the public or private key using either a 
PEM_read_* function or a d2i_*() function, depending on whether the key is in a 
PEM or DER format:
   http://www.openssl.org/docs/crypto/pem.html
   http://www.openssl.org/docs/crypto/d2i_PKCS8PrivateKey.html

For the basic public-key operation, you use functions that operate on an 
EVP_PKEY_CTX:
   http://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html

But for any real-world application, you'll want to do the standard business of 
generating a session key, encrypting the message using conventional symmetric 
encryption, and encrypting the session key with the public key. Since that's a 
lot of hassle and it's very easy to write something that works but isn't 
secure, it's probably a good idea to just adopt one of the higher level 
cryptographic containers such as CMS:
   http://www.openssl.org/docs/crypto/CMS_encrypt.html

even though this does mean you start having to deal with all the X.509 crud.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Basics concepts about openssl+rsa

2010-08-17 Thread Wim Lewis


On Aug 17, 2010, at 3:19 PM, Wim Lewis wrote:
 But for any real-world application, you'll want to do the standard business 
 of generating a session key, encrypting the message using conventional 
 symmetric encryption, and encrypting the session key with the public key. 
 Since that's a lot of hassle and it's very easy to write something that works 
 but isn't secure, it's probably a good idea to just adopt one of the higher 
 level cryptographic containers such as CMS:
   http://www.openssl.org/docs/crypto/CMS_encrypt.html
 
 even though this does mean you start having to deal with all the X.509 crud.

Ah, I forgot about http://www.openssl.org/docs/crypto/EVP_SealInit.html and 
friends, maybe that would be an easier approach.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Simulating Mac keychain CSR with OpenSSL

2010-07-28 Thread Wim Lewis


On Jul 28, 2010, at 2:38 PM, Todd Oberly wrote:
 It's obviously asking for just a subset of what would typically go into a 
 CSR.  I tried generating several different CSR's with OpenSSL, containing 
 various information (and then converting the files to Mac line endings), but 
 the instructions seem to be right.  Only the CSR I made on a friend's Mac was 
 accepted.  [...] It's also possible that I just missed the right combination, 
 and trying again will make a CSR that works.  

Well, I haven't tried submitting an OpenSSL-generated CSR to Apple, but the 
CertificateAssistant-generated CSR looks pretty normal. I have a vague memory 
that Apple's fussy about the key type; are you using a 2048-bit RSA key?

I ran asn1parse on a successfully-submitted-to-Apple CSR and I see this 
structure:

[
  version = v1
  subject = { emailAddress = IA5STRING, commonName = UTF8STRING, countryName = 
PRINTABLESTRING }
  subjectPKInfo = [ [ rsaEncryption, NULL ],  the usual key parameters, 
e=65537, m ~ 2^2048 ]
  attributes = empty sequence
]

signed using sha1WithRSAEncryption.


 I don't like mysteries, and don't being locked into one platform.

Understandable, though I think that once you're using Apple's notification 
service for your iPhones, the way you generate your X.509 key is the least of 
your lockin worries. :)



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Simple question about SSL certs

2010-07-26 Thread Wim Lewis

On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote:
 I would like to write an LDAP client that when a user connects to an LDAP 
 server with SSL, that the client cert is automatically downloaded to the 
 client.  Then a prompt asks the client to accept or reject the cert.  Is this 
 possible when using the OpenSSL C libraries?

Do you mean the client cert (the certificate that the client has, which it uses 
to prove its identity to the server --- a relatively rare setup) or the server 
cert (the certificate that the server has, which it uses to prove its identity 
to the client --- a very common setup)?

If the latter, I think what you want to do is set a verify callback on the SSL 
context using SSL_CTX_set_verify(). The callback will be given the opportunity 
to decide whether to trust a given certificate, which you can do by prompting 
the user if you like.

Keep in mind that in the general case you actually have a whole chain of 
certificates to consider --- from the certificate authority (which, in the 
X.500 world, is what you actually trust) to the server (which you're actually 
talking to).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Revival of ERR_free_state_table / alt solution

2009-11-08 Thread Wim Lewis



On Oct 7, 2009, at 8:19 AM, Thomas Harning Jr. wrote:

I'm writing a browser and a library that use OpenSSL for cryptography
support.  I want to best be able to fully cleanup state when my
plugin/library is unloaded, however it seems to me that it's not
possible to clear out all thread-associated error state since I'm not
managing the threads accessing my code.

Example:
Thread A - loads plugin
Thread B - access plugin code (note: thread-safe)
 plugin code raises OpenSSL error... cleans out error stack
after reporting
Thread A - unloads plugin, tries to cleanup OpenSSL

Thread B's actual state is not freed since it is unknown to the plugin
code whether a given thread is done accessing code.  In thread A
during shutdown, it only knows about thread A and the need to clean
it's state.


I may be completely clueless here, but since no one else has replied:  
does ERR_remove_thread_state(NULL) (previously ERR_remove_state(0)) do  
what you need? You'd need to call it in thread B, and as a result  
you'd end up creating and destroying the thread state each time you  
get invoked, but...



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Memory leaks...

2009-11-08 Thread Wim Lewis



On Nov 7, 2009, at 2:50 PM, barcaroller wrote:
I'm getting some memory leaks when I use OpenSSL.  I was not able to  
get rid
of these leaks, even when I use EVP_cleanup() and ERR_free_strings()  
at the

end of my program.

[]


   ==27769== 24 bytes in 1 blocks are still reachable in loss record  
2 of 20


I'm guessing these are all ENGINEs which were lazily created the first  
time they were needed. Notice that they're still reachable, so  
they're not necessarily leaks in the usual sense. Have you tried  
calling ENGINE_cleanup()?


The apps.h header in the openssl distribution has a macro which uses  
this sequence for shutdown:


  CONF_modules_unload(1);
  EVP_cleanup();
  ENGINE_cleanup();
  CRYPTO_cleanup_all_ex_data();
  ERR_remove_state(0);
  ERR_free_strings();

Other cleanup methods include:

  OBJ_cleanup();
  COMP_zlib_cleanup();
  RAND_cleanup();

but I'm rather unclear on which need to be called.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

90 matches

Mail list logo