From janjust at nikhef.nl Thu Apr 1 07:43:07 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Thu, 1 Apr 2021 09:43:07 +0200 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: Message-ID: On 31/03/21 19:43, Michael Wojcik wrote: >> From: openssl-users On Behalf Of Viktor >> Dukhovni >> Sent: Wednesday, 31 March, 2021 10:31 >> To: openssl-users at openssl.org >> Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? >> >> It looks like Google includes a self-signed root CA in the wire >> certificate chain, and if no match is found in the trust store, >> you'll get the reported error. > What do people think about this practice of including the root in the chain? > > As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been. > > On the one hand, including the root doesn't help with path validation: either some certificate along the chain is a trust anchor already, in which case there's no need to include the root; or it isn't, in which case the peer has no reason to trust the chain. > > On the other, it's useful for debugging, and perhaps for quickly finding whether the highest intermediate in the chain is signed by a trusted root if that intermediate is missing an AKID (though we'd hope that isn't the case). > > I can also see an application deferring trust to the user in this case: "this chain ends in this root, which you don't currently trust, but maybe you'd like to add it?". Which doesn't seem like a great plan either -- and PKIX says trust anchors should be added using a trustworthy out-of-band procedure, which this is not -- but I suppose it's a conceivable use case. > > The only thing I'd like to add to this is that whenever I *do* include the root anchor in a website and run Qualys' ssllabs test on it, I get a (minor) warning: Additional Certificates (if supplied) Certificates provided ??? 3 (5051 bytes) *Chain issues ??? Contains anchor* Unfortunately their documentation does not state *why* they print out this warning or why it would be bad, but I normally remove the trust anchor from the webserver certificate chain nevertheless.? It could very well be that I'm not the only web admin that follows their advice in this respect. JM2CW, JJK / Jan Just Keijser -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Thu Apr 1 07:49:20 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Thu, 1 Apr 2021 17:49:20 +1000 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: Message-ID: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> Perhaps ask Qualys to answer your concerns directly?? They must have a reason for including this warning. Pauli On 1/4/21 5:43 pm, Jan Just Keijser wrote: > On 31/03/21 19:43, Michael Wojcik wrote: >>> From: openssl-users On Behalf Of Viktor >>> Dukhovni >>> Sent: Wednesday, 31 March, 2021 10:31 >>> To:openssl-users at openssl.org >>> Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? >>> >>> It looks like Google includes a self-signed root CA in the wire >>> certificate chain, and if no match is found in the trust store, >>> you'll get the reported error. >> What do people think about this practice of including the root in the chain? >> >> As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been. >> >> On the one hand, including the root doesn't help with path validation: either some certificate along the chain is a trust anchor already, in which case there's no need to include the root; or it isn't, in which case the peer has no reason to trust the chain. >> >> On the other, it's useful for debugging, and perhaps for quickly finding whether the highest intermediate in the chain is signed by a trusted root if that intermediate is missing an AKID (though we'd hope that isn't the case). >> >> I can also see an application deferring trust to the user in this case: "this chain ends in this root, which you don't currently trust, but maybe you'd like to add it?". Which doesn't seem like a great plan either -- and PKIX says trust anchors should be added using a trustworthy out-of-band procedure, which this is not -- but I suppose it's a conceivable use case. >> >> > The only thing I'd like to add to this is that whenever I *do* include > the root anchor in a website and run Qualys' ssllabs test on it, I get > a (minor) warning: > > Additional Certificates (if supplied) > Certificates provided ??? 3 (5051 bytes) > *Chain issues ??? Contains anchor* > > Unfortunately their documentation does not state *why* they print out > this warning or why it would be bad, but I normally remove the trust > anchor from the webserver certificate chain nevertheless. It? could > very well be that I'm not the only web admin that follows their advice > in this respect. > > JM2CW, > > JJK / Jan Just Keijser > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janjust at nikhef.nl Thu Apr 1 08:40:27 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Thu, 1 Apr 2021 10:40:27 +0200 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> References: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> Message-ID: On 01/04/21 09:49, Dr Paul Dale wrote: > Perhaps ask Qualys to answer your concerns directly?? They must have a > reason for including this warning. > > oh, I am not particularly /concerned/ about it? - it's just that I noticed Qualys spits out this warning whenever I do include the root anchor, without bothering to tell me *why*. A search points me to this discussion: ? https://qualys-secure.force.com/discussions/s/article/000003197 which says it is harmless to include the root anchor, except that it will increase your site's latency due to a (slightly) larger TLS handshake. cheers, JJK / Jan Just Keijser > On 1/4/21 5:43 pm, Jan Just Keijser wrote: >> On 31/03/21 19:43, Michael Wojcik wrote: >>>> From: openssl-users On Behalf Of Viktor >>>> Dukhovni >>>> Sent: Wednesday, 31 March, 2021 10:31 >>>> To:openssl-users at openssl.org >>>> Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? >>>> >>>> It looks like Google includes a self-signed root CA in the wire >>>> certificate chain, and if no match is found in the trust store, >>>> you'll get the reported error. >>> What do people think about this practice of including the root in the chain? >>> >>> As far as I can see, neither PKIX (RFC 5280) nor the CA/BF Baseline Requirements say anything about the practice, though I may have missed something. I had a vague memory that some standard or "best practice" guideline somewhere said the server should send the chain up to but not including the root, but I don't know what that might have been. >>> >>> On the one hand, including the root doesn't help with path validation: either some certificate along the chain is a trust anchor already, in which case there's no need to include the root; or it isn't, in which case the peer has no reason to trust the chain. >>> >>> On the other, it's useful for debugging, and perhaps for quickly finding whether the highest intermediate in the chain is signed by a trusted root if that intermediate is missing an AKID (though we'd hope that isn't the case). >>> >>> I can also see an application deferring trust to the user in this case: "this chain ends in this root, which you don't currently trust, but maybe you'd like to add it?". Which doesn't seem like a great plan either -- and PKIX says trust anchors should be added using a trustworthy out-of-band procedure, which this is not -- but I suppose it's a conceivable use case. >>> >>> >> The only thing I'd like to add to this is that whenever I *do* >> include the root anchor in a website and run Qualys' ssllabs test on >> it, I get a (minor) warning: >> >> Additional Certificates (if supplied) >> Certificates provided ??? 3 (5051 bytes) >> *Chain issues ??? Contains anchor* >> >> Unfortunately their documentation does not state *why* they print out >> this warning or why it would be bad, but I normally remove the trust >> anchor from the webserver certificate chain nevertheless.? It? could >> very well be that I'm not the only web admin that follows their >> advice in this respect. >> >> JM2CW, >> >> JJK / Jan Just Keijser >> >> >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From markhack at markhack.com Thu Apr 1 13:44:47 2021 From: markhack at markhack.com (Mark Hack) Date: Thu, 01 Apr 2021 08:44:47 -0500 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: <5E4DBCD4-496A-4275-944A-5F21EFBF03D0@dukhovni.org> References: <3faae6a2-5a6f-6ab2-32ce-5009cd881817@mathemainzel.info> <5E4DBCD4-496A-4275-944A-5F21EFBF03D0@dukhovni.org> Message-ID: <934966d3e3c367ad9cc80fa6688855bb8e0cbf17.camel@markhack.com> RFC6066 Note that when a list of URLs for X.509 certificates is used, the ordering of URLs is the same as that used in the TLS Certificate message (see [RFC5246], Section 7.4.2), but opposite to the order in which certificates are encoded in PkiPath. In either case, the self-signed root certificate MAY be omitted from the chain, under the assumption that the server must already possess it in order to validate it. On Wed, 2021-03-31 at 14:09 -0400, Viktor Dukhovni wrote: > > On Mar 31, 2021, at 2:04 PM, Walter H. > > wrote: > > > > On 31.03.2021 19:48, Viktor Dukhovni wrote: > > > > On Mar 31, 2021, at 1:43 PM, Michael Wojcik < > > > > Michael.Wojcik at microfocus.com> wrote: > > > > > > > > As far as I can see, neither PKIX (RFC 5280) nor the CA/BF > > > > Baseline Requirements say anything about the practice, though I > > > > may have missed something. I had a vague memory that some > > > > standard or "best practice" guideline somewhere said the server > > > > should send the chain up to but not including the root, but I > > > > don't know what that might have been. > > > > > > Inclusion of the self-signed root is harmless. > > > > do some admins this really? > > Since it is possible to do, inevitably some will do it. > > > > The only case that > > > I know of where this is actually necessary is with DANE-TA(2) > > > when > > > the TLSA RRset has a hash of the trusted root cert or public key. > > > > > > > this case is history, there doesn't exist any user agent, which has > > implemented this; > > Well, that's false, just because you're not familiar with it, does > not > mean it does not exist. OpenSSL, Postfix, Exim, Halon MTA, Cisco > ESA, > PowerMTA, ... all support DANE, including DANE-TA(2). > > Yes, no major browsers as yet supports DANE. But not all TLS is > HTTPS > and not all HTTPS is browsers viewing websites. > From Michael.Wojcik at microfocus.com Thu Apr 1 14:21:44 2021 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 1 Apr 2021 14:21:44 +0000 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> Message-ID: Thanks to everyone who responded. You've confirmed my impression: - There doesn't appear to be any applicable standard which requires or forbids including the root, or even endorses or discourages it). - It's harmless except for performance issues and possible low-severity flags from analyses like Qualys's. (I wouldn't be surprised to have a customer raise this -- many of our customers run various scanning tools -- but for the products I work with, customers configure certificate chains anyway, so it's not a product issue.) - Performance issues are likely negligible in many cases, where servers aren't dealing with huge workloads, but it's worth remembering that eventually people will be deploying PQC and most of the NIST finalists involve significantly larger keys or signatures. (They don't *all* have much larger keys/signatures; Falcon has a small combined public key and signature, if memory serves.) -- Michael Wojcik From Michael.Wojcik at microfocus.com Thu Apr 1 14:21:43 2021 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 1 Apr 2021 14:21:43 +0000 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: <934966d3e3c367ad9cc80fa6688855bb8e0cbf17.camel@markhack.com> References: <3faae6a2-5a6f-6ab2-32ce-5009cd881817@mathemainzel.info> <5E4DBCD4-496A-4275-944A-5F21EFBF03D0@dukhovni.org> <934966d3e3c367ad9cc80fa6688855bb8e0cbf17.camel@markhack.com> Message-ID: > From: openssl-users On Behalf Of Mark > Hack > Sent: Thursday, 1 April, 2021 07:45 > To: openssl-users at openssl.org > Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? > > RFC6066 > > Note that when a list of URLs for X.509 certificates is used, the > ordering of URLs is the same as that used in the TLS Certificate > message (see [RFC5246], Section 7.4.2), but opposite to the order in > which certificates are encoded in PkiPath. In either case, the > self-signed root certificate MAY be omitted from the chain, under the > assumption that the server must already possess it in order to > validate it. Thanks! I thought I'd seen something about the question in some standard. Having seen this, I see that RFC 8446 (TLSv1.3) has essentially the same language: "a certificate that specifies a trust anchor MAY be omitted from the chain" (4.4.2). So servers are good either way. -- Michael Wojcik From uri at ll.mit.edu Thu Apr 1 16:08:34 2021 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 1 Apr 2021 16:08:34 +0000 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> Message-ID: In general - I concur, but there are nuances: sending root CA cert is mostly harmless, but mostly useless - except when there's a human on the receiving end that can and is allowed to make a decision to accept and trust that CA cert. Re. PQC - even the "smallest" among them are much larger than what the Classic keys and signatures are. E.g., Falcon-1024 signature is 1330 bytes (or often less - say, 1200 bytes). Falcon-1024 public key is 1793 bytes. Compare to, e.g., ECC-384 sizes... NTRU public keys are "easier", but not by that much: 1230 bytes. Kyber public key is 1568 bytes. And I picked the *smallest* ones - those I'd consider using myself. There's also McEliece... __ -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare ?On 4/1/21, 10:23, "openssl-users on behalf of Michael Wojcik" wrote: Thanks to everyone who responded. You've confirmed my impression: - There doesn't appear to be any applicable standard which requires or forbids including the root, or even endorses or discourages it). - It's harmless except for performance issues and possible low-severity flags from analyses like Qualys's. (I wouldn't be surprised to have a customer raise this -- many of our customers run various scanning tools -- but for the products I work with, customers configure certificate chains anyway, so it's not a product issue.) - Performance issues are likely negligible in many cases, where servers aren't dealing with huge workloads, but it's worth remembering that eventually people will be deploying PQC and most of the NIST finalists involve significantly larger keys or signatures. (They don't *all* have much larger keys/signatures; Falcon has a small combined public key and signature, if memory serves.) -- Michael Wojcik -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: From peter.sylvester at gmail.com Thu Apr 1 16:23:30 2021 From: peter.sylvester at gmail.com (Peter Sylvester) Date: Thu, 1 Apr 2021 18:23:30 +0200 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> Message-ID: On 01/04/2021 16:21, Michael Wojcik wrote: > Thanks to everyone who responded. You've confirmed my impression: > > - There doesn't appear to be any applicable standard which requires or forbids including the root, or even endorses or discourages it). > rfc8446? page 65: .... The sender's certificate MUST come in the first CertificateEntry in the list. Each following certificate SHOULD directly certify the one immediately preceding it. Because certificate validation requires that trust anchors be distributed independently, a certificate that specifies a trust anchor MAY be omitted from the chain, provided that supported peers are known to possess any omitted certificates. Note: Prior to TLS 1.3, "certificate_list" ordering required each certificate to certify the one immediately preceding it; however, some implementations allowed some flexibility. Servers sometimes send both a current and deprecated intermediate for transitional purposes, and others are simply configured incorrectly, but these cases can nonetheless be validated properly. For maximum compatibility, all implementations SHOULD be prepared to handle potentially extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entity certificate which MUST be first. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Wojcik at microfocus.com Thu Apr 1 16:43:23 2021 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 1 Apr 2021 16:43:23 +0000 Subject: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: <17051340-aaba-a81a-3eb3-a390d4e5d7f6@openssl.org> Message-ID: > From: Blumenthal, Uri - 0553 - MITLL > Sent: Thursday, 1 April, 2021 10:09 > To: Michael Wojcik ; openssl-users at openssl.org > Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? > > In general - I concur, but there are nuances: sending root CA cert is mostly > harmless, but mostly useless - except when there's a human on the receiving > end that can and is allowed to make a decision to accept and trust that CA > cert. Agreed. I tried to capture the summary of pros and cons in the document I'm writing for our customers. > Re. PQC - even the "smallest" among them are much larger than what the > Classic keys and signatures are. E.g., Falcon-1024 signature is 1330 bytes > (or often less - say, 1200 bytes). Falcon-1024 public key is 1793 bytes. > Compare to, e.g., ECC-384 sizes... NTRU public keys are "easier", but not by > that much: 1230 bytes. Kyber public key is 1568 bytes. And I picked the > *smallest* ones - those I'd consider using myself. > > There's also McEliece... Yeah, if NIST standardizes on Classic McEliece for KEM, that's going to give us some *big* keys. Certainly for resource-constrained applications, like embedded or high-volume, it makes sense to omit the root even with ECC. A few KB here and there will add up. -- Michael Wojcik From mahajanshetty at outlook.com Fri Apr 2 06:24:29 2021 From: mahajanshetty at outlook.com (Vishwanath Mahajanshetty) Date: Fri, 2 Apr 2021 06:24:29 +0000 Subject: Regarding RAND_set_rand_method Message-ID: Hi, I have some doubts/questions on how to use methods (for ex: RAND_set_rand_method) in multi threaded application which use OpenSSL. In my application (running on OpenSSL 1.1.1d) there are two threads which use OpenSSL, both threads perform very different operations. The issue I am facing is as below: Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. This is very specific to T1s use case. When thread T2 wants to create SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I am observing that the function RAND_priv_bytes() is calling the function set by T1 by RAND_METHOD in RAND_set_rand_method(). Essentially RAND_METHOD function set by thread T1 are getting called by thread T2. Q1: I want to know is there any way to avoid this problem? I want thread T2 to call default RAND methods and avoid calling methods set by thread T1. This is not only for RAND methods, but for any other methods. Q2: Also, is it possible to run OpenSSL as separate instance per thread (where each thread can do its own OpenSSL initialization) so that they can avoid above mentioned problem? Thank you, Vishwanath M -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Fri Apr 2 06:51:28 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Fri, 2 Apr 2021 16:51:28 +1000 Subject: Regarding RAND_set_rand_method In-Reply-To: References: Message-ID: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371@openssl.org> There isn't an easy a way to do what you want in 1.1.1. RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory your RAND_METHOD could detect which thread it is running in and do different things for each.? I'm not sure this is a good idea however. Why aren't the random number from your first thread good enough for the second?? Good random numbers are just that - random.? It should be impossible to distinguish the two streams. In OpenSSL 3.0 there are ways to achieve what you're wanting. Pauli On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > > Hi, > > I have some doubts/questions on how to use methods (for ex: > RAND_set_rand_method) in multi threaded application which use OpenSSL. > In my application (running on OpenSSL 1.1.1d) there are two threads > which use OpenSSL, both threads perform very different operations. The > issue I am facing is as below: > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > This is very specific to T1s use case. When thread T2 wants to create > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > am observing that the function RAND_priv_bytes() is calling the > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > Essentially RAND_METHOD function set by thread T1 are getting called > by thread T2. > > *Q1: I want to know is there any way to avoid this problem? I want > thread T2 to call default RAND methods and avoid calling methods set > by thread T1. This is not only for RAND methods, but for any other > methods.* > > ** > > Q2: Also, is it possible to run OpenSSL as separate instance per > thread (where each thread can do its own OpenSSL initialization) so > that they can avoid above mentioned problem? > > Thank you, > > Vishwanath M > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Fri Apr 2 11:27:53 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Fri, 2 Apr 2021 11:27:53 +0000 Subject: Regarding RAND_set_rand_method In-Reply-To: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371@openssl.org> References: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371@openssl.org> Message-ID: <7056523443ae4f94bca32240c4f24533@ncp-e.com> Re Q1: I want to know is there any way to avoid this problem? I want thread T2 to call default RAND methods and avoid calling methods set by thread T1. This is not only for RAND methods, but for any other methods. First of all, I agree with Pauli: your first question should be, why do you need different random generators for different threads in the same application? Is this necessary, or are you overengineering? Let me clarify some details about the RNG implemention in OpenSSL 1.1.1.: The RAND_METHOD interface itself is not thread aware. It is only the new default RAND_METHOD implementation (added in 1.1.1.) of OpenSSL (RAND_OpenSSL()), which supports thread local random generators. The implementation is based on deterministic random bit generators (DRBG) as described in NIST.SP.800-90Ar1. Wenn a thread calls RAND_bytes() (resp. RAND_priv_bytes()), the call is forwarded to the thread-specific DRBG instance. All per-thread instances reseed from a single global DRBG instance, which in turn reseeds from from random sources provided by the operating system. In your case, by replacing the RAND_METHOD, you are changing the complete RAND implementation for all threads. Moreover, you are completely responsible yourself for reseeding your RNG properly. You could however implement a smarter RAND_METHOD which calls your specific RNG for T1 and delegates to the thread local DRBG (RAND_DRBG_get0_public() resp. RAND_DRBG_get0_private()) for all other threads. To get an idea how it can be done, take a look at the default implementation of RAND_bytes(), drbg_bytes() in drbg_lib.c: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 Re Q2: Also, is it possible to run OpenSSL as separate instance per thread (where each thread can do its own OpenSSL initialization) so that they can avoid above mentioned problem? No. If you really need something like that, you might want to consider splitting your two threads into two processes. HTH, Matthias From: openssl-users On Behalf Of Dr Paul Dale Sent: Friday, April 2, 2021 8:51 AM To: openssl-users at openssl.org Subject: Re: Regarding RAND_set_rand_method There isn't an easy a way to do what you want in 1.1.1. RAND_set_rand_method replaces the RNG for all of OpenSSL. In theory your RAND_METHOD could detect which thread it is running in and do different things for each. I'm not sure this is a good idea however. Why aren't the random number from your first thread good enough for the second? Good random numbers are just that - random. It should be impossible to distinguish the two streams. In OpenSSL 3.0 there are ways to achieve what you're wanting. Pauli On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: Hi, I have some doubts/questions on how to use methods (for ex: RAND_set_rand_method) in multi threaded application which use OpenSSL. In my application (running on OpenSSL 1.1.1d) there are two threads which use OpenSSL, both threads perform very different operations. The issue I am facing is as below: Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. This is very specific to T1s use case. When thread T2 wants to create SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I am observing that the function RAND_priv_bytes() is calling the function set by T1 by RAND_METHOD in RAND_set_rand_method(). Essentially RAND_METHOD function set by thread T1 are getting called by thread T2. Q1: I want to know is there any way to avoid this problem? I want thread T2 to call default RAND methods and avoid calling methods set by thread T1. This is not only for RAND methods, but for any other methods. Q2: Also, is it possible to run OpenSSL as separate instance per thread (where each thread can do its own OpenSSL initialization) so that they can avoid above mentioned problem? Thank you, Vishwanath M -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From vadivel86 at gmail.com Sat Apr 3 04:37:47 2021 From: vadivel86 at gmail.com (Vadivel P) Date: Sat, 3 Apr 2021 10:07:47 +0530 Subject: Fwd: Nginx Server : fatal Error from Server In-Reply-To: References: Message-ID: Nginx Team, Creating Nginx server in local setup. *Versions we use : * *nginx version:* nginx/1.18.0 (Ubuntu) *OpenSSL* 1.1.1f 31 Mar 2020 *OS Version * No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal *From Nginx server error log : * 2021/03/05 13:56:19 [crit] 82641#82641: *5 SSL_do_handshake() failed (SSL: error:14201044:SSL routines:tls_choose_sigalg:internal error) while SSL handshaking, client: 10.201.35.201, server: 0.0.0.0:443 We are able to see client hello packet from client & server send [Alert] internal error as response to client instead of server hello. SSL handshake is failing here. Please let me know any changes needed in nginx cipher config. Coz, from client side DUT is trying to initiate connection to server and server declining it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahajanshetty at outlook.com Sat Apr 3 08:41:04 2021 From: mahajanshetty at outlook.com (Vishwanath Mahajanshetty) Date: Sat, 3 Apr 2021 08:41:04 +0000 Subject: openssl-users Digest, Vol 77, Issue 4 In-Reply-To: References: Message-ID: Thank You Paul and Matthias for your help. The reason I am trying to have separate RAND_METHOD for two threads is, the first thread which runs DNS bind code registers for RAND_METHOD through dnssec module in it. It registers via either ENGINE_set_default_RAND() or RAND_set_rand_method() based on OPENSSL_NO_ENGINE is defined or not. But problem is, under some circumstances the random number generator enters into blocking mode and starts to wait for some events on some FDs and it blocks in select() system call. dst__entropy_getdata() from bind code is doing this. I am not sure under what cases it enters into blocking mode. So If I use this RND_METHOD in second thread (basically this thread does different task of handling DoT, Dns Over TLS, connections, which is not related to first thread wrt SSL functionalities), then while creating SSL_CTX this thread gets stuck in select() system call randomly (happens very rarely as decided by dst__entropy_getdata()); this can happen at any time of SSL connection lifetime whenever it wants to get random data. I agree with you that we should have done this as separate process instead of new thread; but I am trying figure out if I can somehow avoid this situation. As you mentioned, I tried to look into implementation of RAND_bytes() and drbg_bytes(). When SSL_CTX_new() calls RAND_bytes(), it calls RAND_get_rand_method() which returns RAND_METHOD set by bind thread. So if I avoid configuring RAND_METHOD in bind thread, then RAND_get_rand_method() will return rand_meth which is OpenSSL default RAND_METHOD; but if I do this change bind thread will move away from its RAND_METHOD functions and start using OpenSSL default functions which may change its behaviour. So I am still confused how can I do bind thread to use its own RAND_METHOD and DoT thread to use default OpenSSL RAND_METHOD. It would be really helpful if you can explain this with little more details (are there any APIs I can call from one thread to use its specific RAND_METHOD but other threads continue to use OpenSSL default RAND_METHOD?). Thank You, Vishwanath M From: openssl-users-request at openssl.org Sent: 02 April 2021 04:58 PM To: openssl-users at openssl.org Subject: openssl-users Digest, Vol 77, Issue 4 Send openssl-users mailing list submissions to openssl-users at openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://mta.openssl.org/mailman/listinfo/openssl-users or, via email, send a message with subject or body 'help' to openssl-users-request at openssl.org You can reach the person managing the list at openssl-users-owner at openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Regarding RAND_set_rand_method (Dr Paul Dale) 2. RE: Regarding RAND_set_rand_method (Dr. Matthias St. Pierre) ---------------------------------------------------------------------- Message: 1 Date: Fri, 2 Apr 2021 16:51:28 +1000 From: Dr Paul Dale To: openssl-users at openssl.org Subject: Re: Regarding RAND_set_rand_method Message-ID: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371 at openssl.org> Content-Type: text/plain; charset="windows-1252"; Format="flowed" There isn't an easy a way to do what you want in 1.1.1. RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory your RAND_METHOD could detect which thread it is running in and do different things for each.? I'm not sure this is a good idea however. Why aren't the random number from your first thread good enough for the second?? Good random numbers are just that - random.? It should be impossible to distinguish the two streams. In OpenSSL 3.0 there are ways to achieve what you're wanting. Pauli On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > > Hi, > > I have some doubts/questions on how to use methods (for ex: > RAND_set_rand_method) in multi threaded application which use OpenSSL. > In my application (running on OpenSSL 1.1.1d) there are two threads > which use OpenSSL, both threads perform very different operations. The > issue I am facing is as below: > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > This is very specific to T1s use case. When thread T2 wants to create > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > am observing that the function RAND_priv_bytes() is calling the > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > Essentially RAND_METHOD function set by thread T1 are getting called > by thread T2. > > *Q1: I want to know is there any way to avoid this problem? I want > thread T2 to call default RAND methods and avoid calling methods set > by thread T1. This is not only for RAND methods, but for any other > methods.* > > ** > > Q2: Also, is it possible to run OpenSSL as separate instance per > thread (where each thread can do its own OpenSSL initialization) so > that they can avoid above mentioned problem? > > Thank you, > > Vishwanath M > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 2 Date: Fri, 2 Apr 2021 11:27:53 +0000 From: "Dr. Matthias St. Pierre" To: Dr Paul Dale , "openssl-users at openssl.org" Subject: RE: Regarding RAND_set_rand_method Message-ID: <7056523443ae4f94bca32240c4f24533 at ncp-e.com> Content-Type: text/plain; charset="us-ascii" Re Q1: I want to know is there any way to avoid this problem? I want thread T2 to call default RAND methods and avoid calling methods set by thread T1. This is not only for RAND methods, but for any other methods. First of all, I agree with Pauli: your first question should be, why do you need different random generators for different threads in the same application? Is this necessary, or are you overengineering? Let me clarify some details about the RNG implemention in OpenSSL 1.1.1.: The RAND_METHOD interface itself is not thread aware. It is only the new default RAND_METHOD implementation (added in 1.1.1.) of OpenSSL (RAND_OpenSSL()), which supports thread local random generators. The implementation is based on deterministic random bit generators (DRBG) as described in NIST.SP.800-90Ar1. Wenn a thread calls RAND_bytes() (resp. RAND_priv_bytes()), the call is forwarded to the thread-specific DRBG instance. All per-thread instances reseed from a single global DRBG instance, which in turn reseeds from from random sources provided by the operating system. In your case, by replacing the RAND_METHOD, you are changing the complete RAND implementation for all threads. Moreover, you are completely responsible yourself for reseeding your RNG properly. You could however implement a smarter RAND_METHOD which calls your specific RNG for T1 and delegates to the thread local DRBG (RAND_DRBG_get0_public() resp. RAND_DRBG_get0_private()) for all other threads. To get an idea how it can be done, take a look at the default implementation of RAND_bytes(), drbg_bytes() in drbg_lib.c: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 Re Q2: Also, is it possible to run OpenSSL as separate instance per thread (where each thread can do its own OpenSSL initialization) so that they can avoid above mentioned problem? No. If you really need something like that, you might want to consider splitting your two threads into two processes. HTH, Matthias From: openssl-users On Behalf Of Dr Paul Dale Sent: Friday, April 2, 2021 8:51 AM To: openssl-users at openssl.org Subject: Re: Regarding RAND_set_rand_method There isn't an easy a way to do what you want in 1.1.1. RAND_set_rand_method replaces the RNG for all of OpenSSL. In theory your RAND_METHOD could detect which thread it is running in and do different things for each. I'm not sure this is a good idea however. Why aren't the random number from your first thread good enough for the second? Good random numbers are just that - random. It should be impossible to distinguish the two streams. In OpenSSL 3.0 there are ways to achieve what you're wanting. Pauli On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: Hi, I have some doubts/questions on how to use methods (for ex: RAND_set_rand_method) in multi threaded application which use OpenSSL. In my application (running on OpenSSL 1.1.1d) there are two threads which use OpenSSL, both threads perform very different operations. The issue I am facing is as below: Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. This is very specific to T1s use case. When thread T2 wants to create SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I am observing that the function RAND_priv_bytes() is calling the function set by T1 by RAND_METHOD in RAND_set_rand_method(). Essentially RAND_METHOD function set by thread T1 are getting called by thread T2. Q1: I want to know is there any way to avoid this problem? I want thread T2 to call default RAND methods and avoid calling methods set by thread T1. This is not only for RAND methods, but for any other methods. Q2: Also, is it possible to run OpenSSL as separate instance per thread (where each thread can do its own OpenSSL initialization) so that they can avoid above mentioned problem? Thank you, Vishwanath M -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users at openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users ------------------------------ End of openssl-users Digest, Vol 77, Issue 4 ******************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Sat Apr 3 08:48:48 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Sat, 3 Apr 2021 18:48:48 +1000 Subject: openssl-users Digest, Vol 77, Issue 4 In-Reply-To: References: Message-ID: I would be **very** concerned about bypassing a blocking RAND.? It is almost certainly blocking because it does not have enough randomness to satisfy your request.? By skipping this, you are likely getting poor quality random values and this can effectively negate any security you are gaining from the encryption. Good random numbers are fundamental to modern cryptography.? Without them, there is no security.? I cannot stress this enough.? Do not try to second guess or bypass the RNG. Pauli On 3/4/21 6:41 pm, Vishwanath Mahajanshetty wrote: > > Thank You Paul and Matthias for your help. > > The reason I am trying to have separate RAND_METHOD for two threads > is, the first thread which runs DNS *bind* code registers for > RAND_METHOD through dnssec module in it. It registers via either > ENGINE_set_default_RAND() or RAND_set_rand_method() based on > OPENSSL_NO_ENGINE is defined or not. But problem is, under some > circumstances the random number generator enters into blocking mode > and starts to wait for some events on some FDs and it blocks in > select() system call. dst__entropy_getdata() ?from bind code is doing > this. I am not sure under what cases it enters into blocking mode. > > So If I use this RND_METHOD in second thread (basically this thread > does different task of handling *DoT*, Dns Over TLS, connections, > which is not related to first thread wrt SSL functionalities), then > while creating SSL_CTX this thread gets stuck in select() system call > randomly (happens very rarely as decided by dst__entropy_getdata()); > this can happen at any time of SSL connection lifetime whenever it > wants to get random data. > > I agree with you that we should have done this as separate process > instead of new thread; but I am trying figure out if I can somehow > avoid this situation. > > As you mentioned, I tried to look into implementation of RAND_bytes() > and drbg_bytes(). > > When SSL_CTX_new() calls RAND_bytes(), it calls RAND_get_rand_method() > which returns RAND_METHOD set by *bind* thread. So if I avoid > configuring RAND_METHOD in *bind* thread, then RAND_get_rand_method() > will return *rand_meth *which is OpenSSL default RAND_METHOD; but if I > do this change bind thread will move away from its RAND_METHOD > functions and start using OpenSSL default functions which may change > its behaviour. > > So I am still confused how can I do *bind* thread to use its own > RAND_METHOD and *DoT* thread to use default OpenSSL RAND_METHOD. It > would be really helpful if you can explain this with little more > details (are there any APIs I can call from one thread to use its > specific RAND_METHOD but other threads continue to use OpenSSL default > RAND_METHOD?). > > Thank You, > > Vishwanath M > > *From: *openssl-users-request at openssl.org > > *Sent: *02 April 2021 04:58 PM > *To: *openssl-users at openssl.org > *Subject: *openssl-users Digest, Vol 77, Issue 4 > > Send openssl-users mailing list submissions to > ??????? openssl-users at openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > > or, via email, send a message with subject or body 'help' to > ??????? openssl-users-request at openssl.org > > You can reach the person managing the list at > ??????? openssl-users-owner at openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > ?? 1. Re: Regarding RAND_set_rand_method (Dr Paul Dale) > ?? 2. RE: Regarding RAND_set_rand_method (Dr. Matthias St. Pierre) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 2 Apr 2021 16:51:28 +1000 > From: Dr Paul Dale > To: openssl-users at openssl.org > Subject: Re: Regarding RAND_set_rand_method > Message-ID: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371 at openssl.org> > Content-Type: text/plain; charset="windows-1252"; Format="flowed" > > There isn't an easy a way to do what you want in 1.1.1. > RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory > your RAND_METHOD could detect which thread it is running in and do > different things for each.? I'm not sure this is a good idea however. > > Why aren't the random number from your first thread good enough for the > second?? Good random numbers are just that - random.? It should be > impossible to distinguish the two streams. > > In OpenSSL 3.0 there are ways to achieve what you're wanting. > > > Pauli > > On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > > > > Hi, > > > > I have some doubts/questions on how to use methods (for ex: > > RAND_set_rand_method) in multi threaded application which use OpenSSL. > > In my application (running on OpenSSL 1.1.1d) there are two threads > > which use OpenSSL, both threads perform very different operations. The > > issue I am facing is as below: > > > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > > This is very specific to T1s use case. When thread T2 wants to create > > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > > am observing that the function RAND_priv_bytes() is calling the > > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > > > Essentially RAND_METHOD function set by thread T1 are getting called > > by thread T2. > > > > *Q1: I want to know is there any way to avoid this problem? I want > > thread T2 to call default RAND methods and avoid calling methods set > > by thread T1. This is not only for RAND methods, but for any other > > methods.* > > > > ** > > > > Q2: Also, is it possible to run OpenSSL as separate instance per > > thread (where each thread can do its own OpenSSL initialization) so > > that they can avoid above mentioned problem? > > > > Thank you, > > > > Vishwanath M > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > > ------------------------------ > > Message: 2 > Date: Fri, 2 Apr 2021 11:27:53 +0000 > From: "Dr. Matthias St. Pierre" > To: Dr Paul Dale , "openssl-users at openssl.org" > ??????? > Subject: RE: Regarding RAND_set_rand_method > Message-ID: <7056523443ae4f94bca32240c4f24533 at ncp-e.com> > Content-Type: text/plain; charset="us-ascii" > > Re Q1: I want to know is there any way to avoid this problem? I want > thread T2 to call default RAND methods and avoid calling methods set > by thread T1. This is not only for RAND methods, but for any other > methods. > > First of all, I agree with Pauli: your first question should be, why > do you need different random generators for different threads in the > same application? Is this necessary, or are you overengineering? > > Let me clarify some details about the RNG implemention in OpenSSL > 1.1.1.: The RAND_METHOD interface itself is not thread aware. It is > only the new default RAND_METHOD implementation (added in 1.1.1.) of > OpenSSL (RAND_OpenSSL()), which supports thread local random > generators. The implementation is based on deterministic random bit > generators (DRBG) as described in NIST.SP.800-90Ar1. Wenn a thread > calls RAND_bytes() (resp. RAND_priv_bytes()), the call is forwarded to > the thread-specific DRBG instance. All per-thread instances reseed > from a single global DRBG instance, which in turn reseeds from? from > random sources provided by the operating system. > > In your case, by replacing the RAND_METHOD, you are changing the > complete RAND implementation for all threads. Moreover, you are > completely responsible yourself for reseeding your RNG properly. > > You could however implement a smarter RAND_METHOD which calls your > specific RNG for T1 and delegates to the thread local DRBG > (RAND_DRBG_get0_public() resp. RAND_DRBG_get0_private()) for all other > threads. To get an idea how it can be done, take a look at the default > implementation of RAND_bytes(), drbg_bytes() in drbg_lib.c: > > https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 > > > > Re Q2: Also, is it possible to run OpenSSL as separate instance per > thread (where each thread can do its own OpenSSL initialization) so > that they can avoid above mentioned problem? > > No. If you really need something like that, you might want to consider > splitting your two threads into two processes. > > HTH, > Matthias > > > > From: openssl-users On Behalf Of > Dr Paul Dale > Sent: Friday, April 2, 2021 8:51 AM > To: openssl-users at openssl.org > Subject: Re: Regarding RAND_set_rand_method > > There isn't an easy a way to do what you want in 1.1.1. > RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory > your RAND_METHOD could detect which thread it is running in and do > different things for each.? I'm not sure this is a good idea however. > > Why aren't the random number from your first thread good enough for > the second?? Good random numbers are just that - random.? It should be > impossible to distinguish the two streams. > > In OpenSSL 3.0 there are ways to achieve what you're wanting. > > > Pauli > On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > Hi, > > I have some doubts/questions on how to use methods (for ex: > RAND_set_rand_method) in multi threaded application which use OpenSSL. > In my application (running on OpenSSL 1.1.1d) there are two threads > which use OpenSSL, both threads perform very different operations. The > issue I am facing is as below: > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > This is very specific to T1s use case. When thread T2 wants to create > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > am observing that the function RAND_priv_bytes() is calling the > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > Essentially RAND_METHOD function set by thread T1 are getting called > by thread T2. > > Q1: I want to know is there any way to avoid this problem? I want > thread T2 to call default RAND methods and avoid calling methods set > by thread T1. This is not only for RAND methods, but for any other > methods. > > Q2: Also, is it possible to run OpenSSL as separate instance per > thread (where each thread can do its own OpenSSL initialization) so > that they can avoid above mentioned problem? > > Thank you, > Vishwanath M > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 7494 bytes > Desc: not available > URL: > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > ------------------------------ > > End of openssl-users Digest, Vol 77, Issue 4 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dev at ddvo.net Sat Apr 3 19:20:58 2021 From: dev at ddvo.net (David von Oheimb) Date: Sat, 3 Apr 2021 21:20:58 +0200 Subject: OpenSSL chain build error diagnostics - Re: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: References: Message-ID: <2673da98-6691-6363-bcf6-387c116faaf5@ddvo.net> Hi Nan, Viktor, et al., /From: openssl-users > On Behalf Of Viktor//Dukhovni //Sent: Wednesday, 31 March, 2021 10:31/ > Most likely you haven't configured a suitable CAfile and/or CApath, > which contains the root CA that ultimately issued Google's certificate. Yeah, that is the usual reason. > It looks like Google includes a self-signed root CA in the wire > certificate chain, > Not really. @Viktor, see the diagnostic output of the alternative call openssl s_client -connect google.com:443 that Nan provided below (and which is easy to reproduce): > --- > Certificate chain > 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = > *.google.com > i:C = US, O = Google Trust Services, CN = GTS CA 1O1 > 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 > i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign > --- This chain does not include the root cert (which would be by GlobalSign in this case). @all, contrbuting to the discussion that spawned over the last couple of days on whether the server should include the root of its chain: IMO is should be advised not to include the root cert (i.e., the trust anchor). While the (needless) extra amount of data is usually not a problem, the main problem that I see is that the receiver may be mislead to accept the root cert as trusted although when received this way it is not trustworthy. Instead, when verifying the server chain, the receiver must already have a trust store containing (root) certs that are considered trusted, and for the chain received from the server there should be a suitable trust anchor (which typically takes the form of a self-signed cert) in that trust store. > and if no match is found in the trust store, > you'll get the reported error. The reason must be something else. Note that the error was X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, which means that the chain built contains only one element, and this element is self-signed and not trusted. So it cannot be the chain? *.google.com ->? GTS CA 1O1 -> GlobalSign. @Nan, I find this error very unexpected - something pretty strange must have happened in your application. If no suitable trusted root is available in the trust store, the error thrown should have been 20 ("unable to get local issuer certificate") = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. BTW, many of those OpenSSL verify error codes are IMHO pretty hard to (correctly) understand and therefore should be re-phrased for clarity. And unfortunately OpenSSL by default does not give much further diagnostics on cert verification errors. I advise using `X509_STORE_CTX_print_verify_cb()` which I added last year to the master as part of the CMP contribution. This can be done simply as follows: ??? X509_STORE_set_verify_cb(my_X509_STORE, X509_STORE_CTX_print_verify_cb); On X509_verify_cert() error, this provides in the error queue not only the error code and string, but also the cert for which the error occurred as well as the set of untrusted certs and the set of trust anchor certs that were available for chain building in the current X509_STORE_CTX. Regards, ?? David On 31.03.21 07:49, Nan Xiao wrote: > Hi OpenSSL users, > > Greetings from me! > > I am using the master branch of OpenSSL and testing client-arg program > (in demos/bio) with "google.com:443": > > # LD_LIBRARY_PATH=/root/openssl/build gdb --args ./client-arg -connect > "google.com:443" > ...... > (gdb) > 91 if (BIO_do_connect(sbio) <= 0) { > (gdb) > 97 if (BIO_do_handshake(sbio) <= 0) { > (gdb) p ssl->verify_result > $1 = 18 > > The connection is successful, but the ssl->verify_result is 18, i.e., > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. I am a little confused why > OpenSSL reports google's certificate is "self-signed"? And it should > be not. The following result is from "openssl s_client": > > # openssl s_client -connect google.com:443 > CONNECTED(00000003) > depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign > verify return:1 > depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 > verify return:1 > depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN > = *.google.com > verify return:1 > --- > Certificate chain > 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = > *.google.com > i:C = US, O = Google Trust Services, CN = GTS CA 1O1 > 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 > i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign > --- > > Anyone can give some clues? Thanks very much in advance! > > Best Regards > Nan Xiao > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mahajanshetty at outlook.com Sun Apr 4 11:55:52 2021 From: mahajanshetty at outlook.com (Vishwanath Mahajanshetty) Date: Sun, 4 Apr 2021 11:55:52 +0000 Subject: openssl-users Digest, Vol 77, Issue 6 In-Reply-To: References: Message-ID: Hi Paul, Thanks for your response. I understand the concern for good random numbers; but in this scenario when second thread calls SSL_CTX_new it is waiting forever in RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread are very specific for its own use case and can?t be used by other treads. So I am thinking of using default OpenSSL RAND_METHOD for second thread and keep first thread (bind) to use its own random number generators. Please let me know how can I make one thread use default RAND_METHOD and keep other thread to use its own method. I have gone through RAND_bytes() and drbg_bytes() but not getting enough idea. It would be really helpful if you point out APIs which help me to achieve this requirement. Thank You, Vishwanath M From: openssl-users-request at openssl.org Sent: 03 April 2021 02:19 PM To: openssl-users at openssl.org Subject: openssl-users Digest, Vol 77, Issue 6 Send openssl-users mailing list submissions to openssl-users at openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://mta.openssl.org/mailman/listinfo/openssl-users or, via email, send a message with subject or body 'help' to openssl-users-request at openssl.org You can reach the person managing the list at openssl-users-owner at openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: openssl-users Digest, Vol 77, Issue 4 (Dr Paul Dale) ---------------------------------------------------------------------- Message: 1 Date: Sat, 3 Apr 2021 18:48:48 +1000 From: Dr Paul Dale To: openssl-users at openssl.org Subject: Re: openssl-users Digest, Vol 77, Issue 4 Message-ID: Content-Type: text/plain; charset="windows-1252"; Format="flowed" I would be **very** concerned about bypassing a blocking RAND.? It is almost certainly blocking because it does not have enough randomness to satisfy your request.? By skipping this, you are likely getting poor quality random values and this can effectively negate any security you are gaining from the encryption. Good random numbers are fundamental to modern cryptography.? Without them, there is no security.? I cannot stress this enough.? Do not try to second guess or bypass the RNG. Pauli On 3/4/21 6:41 pm, Vishwanath Mahajanshetty wrote: > > Thank You Paul and Matthias for your help. > > The reason I am trying to have separate RAND_METHOD for two threads > is, the first thread which runs DNS *bind* code registers for > RAND_METHOD through dnssec module in it. It registers via either > ENGINE_set_default_RAND() or RAND_set_rand_method() based on > OPENSSL_NO_ENGINE is defined or not. But problem is, under some > circumstances the random number generator enters into blocking mode > and starts to wait for some events on some FDs and it blocks in > select() system call. dst__entropy_getdata() ?from bind code is doing > this. I am not sure under what cases it enters into blocking mode. > > So If I use this RND_METHOD in second thread (basically this thread > does different task of handling *DoT*, Dns Over TLS, connections, > which is not related to first thread wrt SSL functionalities), then > while creating SSL_CTX this thread gets stuck in select() system call > randomly (happens very rarely as decided by dst__entropy_getdata()); > this can happen at any time of SSL connection lifetime whenever it > wants to get random data. > > I agree with you that we should have done this as separate process > instead of new thread; but I am trying figure out if I can somehow > avoid this situation. > > As you mentioned, I tried to look into implementation of RAND_bytes() > and drbg_bytes(). > > When SSL_CTX_new() calls RAND_bytes(), it calls RAND_get_rand_method() > which returns RAND_METHOD set by *bind* thread. So if I avoid > configuring RAND_METHOD in *bind* thread, then RAND_get_rand_method() > will return *rand_meth *which is OpenSSL default RAND_METHOD; but if I > do this change bind thread will move away from its RAND_METHOD > functions and start using OpenSSL default functions which may change > its behaviour. > > So I am still confused how can I do *bind* thread to use its own > RAND_METHOD and *DoT* thread to use default OpenSSL RAND_METHOD. It > would be really helpful if you can explain this with little more > details (are there any APIs I can call from one thread to use its > specific RAND_METHOD but other threads continue to use OpenSSL default > RAND_METHOD?). > > Thank You, > > Vishwanath M > > *From: *openssl-users-request at openssl.org > > *Sent: *02 April 2021 04:58 PM > *To: *openssl-users at openssl.org > *Subject: *openssl-users Digest, Vol 77, Issue 4 > > Send openssl-users mailing list submissions to > ??????? openssl-users at openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > > or, via email, send a message with subject or body 'help' to > ??????? openssl-users-request at openssl.org > > You can reach the person managing the list at > ??????? openssl-users-owner at openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > ?? 1. Re: Regarding RAND_set_rand_method (Dr Paul Dale) > ?? 2. RE: Regarding RAND_set_rand_method (Dr. Matthias St. Pierre) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 2 Apr 2021 16:51:28 +1000 > From: Dr Paul Dale > To: openssl-users at openssl.org > Subject: Re: Regarding RAND_set_rand_method > Message-ID: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371 at openssl.org> > Content-Type: text/plain; charset="windows-1252"; Format="flowed" > > There isn't an easy a way to do what you want in 1.1.1. > RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory > your RAND_METHOD could detect which thread it is running in and do > different things for each.? I'm not sure this is a good idea however. > > Why aren't the random number from your first thread good enough for the > second?? Good random numbers are just that - random.? It should be > impossible to distinguish the two streams. > > In OpenSSL 3.0 there are ways to achieve what you're wanting. > > > Pauli > > On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > > > > Hi, > > > > I have some doubts/questions on how to use methods (for ex: > > RAND_set_rand_method) in multi threaded application which use OpenSSL. > > In my application (running on OpenSSL 1.1.1d) there are two threads > > which use OpenSSL, both threads perform very different operations. The > > issue I am facing is as below: > > > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > > This is very specific to T1s use case. When thread T2 wants to create > > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > > am observing that the function RAND_priv_bytes() is calling the > > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > > > Essentially RAND_METHOD function set by thread T1 are getting called > > by thread T2. > > > > *Q1: I want to know is there any way to avoid this problem? I want > > thread T2 to call default RAND methods and avoid calling methods set > > by thread T1. This is not only for RAND methods, but for any other > > methods.* > > > > ** > > > > Q2: Also, is it possible to run OpenSSL as separate instance per > > thread (where each thread can do its own OpenSSL initialization) so > > that they can avoid above mentioned problem? > > > > Thank you, > > > > Vishwanath M > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > > ------------------------------ > > Message: 2 > Date: Fri, 2 Apr 2021 11:27:53 +0000 > From: "Dr. Matthias St. Pierre" > To: Dr Paul Dale , "openssl-users at openssl.org" > ??????? > Subject: RE: Regarding RAND_set_rand_method > Message-ID: <7056523443ae4f94bca32240c4f24533 at ncp-e.com> > Content-Type: text/plain; charset="us-ascii" > > Re Q1: I want to know is there any way to avoid this problem? I want > thread T2 to call default RAND methods and avoid calling methods set > by thread T1. This is not only for RAND methods, but for any other > methods. > > First of all, I agree with Pauli: your first question should be, why > do you need different random generators for different threads in the > same application? Is this necessary, or are you overengineering? > > Let me clarify some details about the RNG implemention in OpenSSL > 1.1.1.: The RAND_METHOD interface itself is not thread aware. It is > only the new default RAND_METHOD implementation (added in 1.1.1.) of > OpenSSL (RAND_OpenSSL()), which supports thread local random > generators. The implementation is based on deterministic random bit > generators (DRBG) as described in NIST.SP.800-90Ar1. Wenn a thread > calls RAND_bytes() (resp. RAND_priv_bytes()), the call is forwarded to > the thread-specific DRBG instance. All per-thread instances reseed > from a single global DRBG instance, which in turn reseeds from? from > random sources provided by the operating system. > > In your case, by replacing the RAND_METHOD, you are changing the > complete RAND implementation for all threads. Moreover, you are > completely responsible yourself for reseeding your RNG properly. > > You could however implement a smarter RAND_METHOD which calls your > specific RNG for T1 and delegates to the thread local DRBG > (RAND_DRBG_get0_public() resp. RAND_DRBG_get0_private()) for all other > threads. To get an idea how it can be done, take a look at the default > implementation of RAND_bytes(), drbg_bytes() in drbg_lib.c: > > https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 > > > > Re Q2: Also, is it possible to run OpenSSL as separate instance per > thread (where each thread can do its own OpenSSL initialization) so > that they can avoid above mentioned problem? > > No. If you really need something like that, you might want to consider > splitting your two threads into two processes. > > HTH, > Matthias > > > > From: openssl-users On Behalf Of > Dr Paul Dale > Sent: Friday, April 2, 2021 8:51 AM > To: openssl-users at openssl.org > Subject: Re: Regarding RAND_set_rand_method > > There isn't an easy a way to do what you want in 1.1.1. > RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory > your RAND_METHOD could detect which thread it is running in and do > different things for each.? I'm not sure this is a good idea however. > > Why aren't the random number from your first thread good enough for > the second?? Good random numbers are just that - random.? It should be > impossible to distinguish the two streams. > > In OpenSSL 3.0 there are ways to achieve what you're wanting. > > > Pauli > On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > Hi, > > I have some doubts/questions on how to use methods (for ex: > RAND_set_rand_method) in multi threaded application which use OpenSSL. > In my application (running on OpenSSL 1.1.1d) there are two threads > which use OpenSSL, both threads perform very different operations. The > issue I am facing is as below: > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > This is very specific to T1s use case. When thread T2 wants to create > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > am observing that the function RAND_priv_bytes() is calling the > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > Essentially RAND_METHOD function set by thread T1 are getting called > by thread T2. > > Q1: I want to know is there any way to avoid this problem? I want > thread T2 to call default RAND methods and avoid calling methods set > by thread T1. This is not only for RAND methods, but for any other > methods. > > Q2: Also, is it possible to run OpenSSL as separate instance per > thread (where each thread can do its own OpenSSL initialization) so > that they can avoid above mentioned problem? > > Thank you, > Vishwanath M > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 7494 bytes > Desc: not available > URL: > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > ------------------------------ > > End of openssl-users Digest, Vol 77, Issue 4 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users at openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users ------------------------------ End of openssl-users Digest, Vol 77, Issue 6 ******************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Sun Apr 4 21:38:35 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Sun, 4 Apr 2021 21:38:35 +0000 Subject: Regarding RAND_set_rand_method (was: openssl-users Digest, Vol 77, Issue 6) Message-ID: <3ba047ef93ef4b308673f573567f86f3@ncp-e.com> Vishwanath, have you already tried to simply use the default RAND_METHOD and not to replace it by your own? Except for the initial seeding(*), the thread local DRBGs should operate for a long time without blocking and without interfering with each other. Even if the thread local DRBGs reseed, they obtain their seed from the master DRBG, which does not reseed from the operating system every time. Even more, the RAND_{priv_}bytes() calls of different threads are completely independent from each other, except for the (unlikely) case that both threads block on the master DRBG which blocks on the os entropy source. Please also post call stacks of the two threads if the problem persists. In particular, it would be useful to see which method is used to obtain the entropy (getrandom(), a read() from /dev/[u]random, ...), and why the system is so low on entropy. Regards, Matthias (*) you might want to force an initial seeding during application startup by an explicit RAND_bytes() call. From: openssl-users > On Behalf Of Vishwanath Mahajanshetty Sent: Sunday, April 4, 2021 1:56 PM To: openssl-users at openssl.org Subject: RE: openssl-users Digest, Vol 77, Issue 6 Hi Paul, Thanks for your response. I understand the concern for good random numbers; but in this scenario when second thread calls SSL_CTX_new it is waiting forever in RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread are very specific for its own use case and can't be used by other treads. So I am thinking of using default OpenSSL RAND_METHOD for second thread and keep first thread (bind) to use its own random number generators. Please let me know how can I make one thread use default RAND_METHOD and keep other thread to use its own method. I have gone through RAND_bytes() and drbg_bytes() but not getting enough idea. It would be really helpful if you point out APIs which help me to achieve this requirement. Thank You, Vishwanath M -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From pauli at openssl.org Mon Apr 5 01:17:57 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Mon, 5 Apr 2021 11:17:57 +1000 Subject: openssl-users Digest, Vol 77, Issue 6 In-Reply-To: References: Message-ID: <6440356e-a380-2284-b9c0-b1402792bb59@openssl.org> Vishwanath, It isn't possible to do what you are wanting.? RAND_METHOD replaces the RNG everywhere.? It cannot be done on a per thread process. Pauli On 4/4/21 9:55 pm, Vishwanath Mahajanshetty wrote: > > Hi Paul, > > Thanks for your response. I understand the concern for good random > numbers; but in this scenario when second thread calls SSL_CTX_new it > is waiting forever in RAND_priv_bytes(). Looks like entropy functions > defined by first (bind) thread are very specific for its own use case > and can?t be used by other treads. > > So I am thinking of using default OpenSSL RAND_METHOD for second > thread and keep first thread (bind) to use its own random number > generators. > > Please let me know how can I make one thread use default RAND_METHOD > and keep other thread to use its own method. I have gone through > RAND_bytes() and drbg_bytes() but not getting enough idea. It would be > really helpful if you point out APIs which help me to achieve this > requirement. > > Thank You, > > Vishwanath M > > *From: *openssl-users-request at openssl.org > > *Sent: *03 April 2021 02:19 PM > *To: *openssl-users at openssl.org > *Subject: *openssl-users Digest, Vol 77, Issue 6 > > Send openssl-users mailing list submissions to > ??????? openssl-users at openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > > or, via email, send a message with subject or body 'help' to > ??????? openssl-users-request at openssl.org > > You can reach the person managing the list at > ??????? openssl-users-owner at openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > ?? 1. Re: openssl-users Digest, Vol 77, Issue 4 (Dr Paul Dale) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 3 Apr 2021 18:48:48 +1000 > From: Dr Paul Dale > To: openssl-users at openssl.org > Subject: Re: openssl-users Digest, Vol 77, Issue 4 > Message-ID: > Content-Type: text/plain; charset="windows-1252"; Format="flowed" > > I would be **very** concerned about bypassing a blocking RAND.? It is > almost certainly blocking because it does not have enough randomness to > satisfy your request.? By skipping this, you are likely getting poor > quality random values and this can effectively negate any security you > are gaining from the encryption. > > Good random numbers are fundamental to modern cryptography.? Without > them, there is no security.? I cannot stress this enough.? Do not try to > second guess or bypass the RNG. > > > Pauli > > On 3/4/21 6:41 pm, Vishwanath Mahajanshetty wrote: > > > > Thank You Paul and Matthias for your help. > > > > The reason I am trying to have separate RAND_METHOD for two threads > > is, the first thread which runs DNS *bind* code registers for > > RAND_METHOD through dnssec module in it. It registers via either > > ENGINE_set_default_RAND() or RAND_set_rand_method() based on > > OPENSSL_NO_ENGINE is defined or not. But problem is, under some > > circumstances the random number generator enters into blocking mode > > and starts to wait for some events on some FDs and it blocks in > > select() system call. dst__entropy_getdata() ?from bind code is doing > > this. I am not sure under what cases it enters into blocking mode. > > > > So If I use this RND_METHOD in second thread (basically this thread > > does different task of handling *DoT*, Dns Over TLS, connections, > > which is not related to first thread wrt SSL functionalities), then > > while creating SSL_CTX this thread gets stuck in select() system call > > randomly (happens very rarely as decided by dst__entropy_getdata()); > > this can happen at any time of SSL connection lifetime whenever it > > wants to get random data. > > > > I agree with you that we should have done this as separate process > > instead of new thread; but I am trying figure out if I can somehow > > avoid this situation. > > > > As you mentioned, I tried to look into implementation of RAND_bytes() > > and drbg_bytes(). > > > > When SSL_CTX_new() calls RAND_bytes(), it calls RAND_get_rand_method() > > which returns RAND_METHOD set by *bind* thread. So if I avoid > > configuring RAND_METHOD in *bind* thread, then RAND_get_rand_method() > > will return *rand_meth *which is OpenSSL default RAND_METHOD; but if I > > do this change bind thread will move away from its RAND_METHOD > > functions and start using OpenSSL default functions which may change > > its behaviour. > > > > So I am still confused how can I do *bind* thread to use its own > > RAND_METHOD and *DoT* thread to use default OpenSSL RAND_METHOD. It > > would be really helpful if you can explain this with little more > > details (are there any APIs I can call from one thread to use its > > specific RAND_METHOD but other threads continue to use OpenSSL default > > RAND_METHOD?). > > > > Thank You, > > > > Vishwanath M > > > > *From: *openssl-users-request at openssl.org > > > > > *Sent: *02 April 2021 04:58 PM > > *To: *openssl-users at openssl.org > > > *Subject: *openssl-users Digest, Vol 77, Issue 4 > > > > Send openssl-users mailing list submissions to > > ??????? openssl-users at openssl.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > or, via email, send a message with subject or body 'help' to > > ??????? openssl-users-request at openssl.org > > > > You can reach the person managing the list at > > ??????? openssl-users-owner at openssl.org > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of openssl-users digest..." > > > > > > Today's Topics: > > > > ?? 1. Re: Regarding RAND_set_rand_method (Dr Paul Dale) > > ?? 2. RE: Regarding RAND_set_rand_method (Dr. Matthias St. Pierre) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Fri, 2 Apr 2021 16:51:28 +1000 > > From: Dr Paul Dale > > To: openssl-users at openssl.org > > Subject: Re: Regarding RAND_set_rand_method > > Message-ID: <1781ab4c-2e2b-fa3b-8b3c-fb4fc5bd3371 at openssl.org> > > Content-Type: text/plain; charset="windows-1252"; Format="flowed" > > > > There isn't an easy a way to do what you want in 1.1.1. > > RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory > > your RAND_METHOD could detect which thread it is running in and do > > different things for each.? I'm not sure this is a good idea however. > > > > Why aren't the random number from your first thread good enough for the > > second?? Good random numbers are just that - random.? It should be > > impossible to distinguish the two streams. > > > > In OpenSSL 3.0 there are ways to achieve what you're wanting. > > > > > > Pauli > > > > On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > > > > > > Hi, > > > > > > I have some doubts/questions on how to use methods (for ex: > > > RAND_set_rand_method) in multi threaded application which use OpenSSL. > > > In my application (running on OpenSSL 1.1.1d) there are two threads > > > which use OpenSSL, both threads perform very different operations. The > > > issue I am facing is as below: > > > > > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > > > This is very specific to T1s use case. When thread T2 wants to create > > > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > > > am observing that the function RAND_priv_bytes() is calling the > > > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > > > > > Essentially RAND_METHOD function set by thread T1 are getting called > > > by thread T2. > > > > > > *Q1: I want to know is there any way to avoid this problem? I want > > > thread T2 to call default RAND methods and avoid calling methods set > > > by thread T1. This is not only for RAND methods, but for any other > > > methods.* > > > > > > ** > > > > > > Q2: Also, is it possible to run OpenSSL as separate instance per > > > thread (where each thread can do its own OpenSSL initialization) so > > > that they can avoid above mentioned problem? > > > > > > Thank you, > > > > > > Vishwanath M > > > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > > > > >> > > > > ------------------------------ > > > > Message: 2 > > Date: Fri, 2 Apr 2021 11:27:53 +0000 > > From: "Dr. Matthias St. Pierre" > > To: Dr Paul Dale , "openssl-users at openssl.org" > > ??????? > > Subject: RE: Regarding RAND_set_rand_method > > Message-ID: <7056523443ae4f94bca32240c4f24533 at ncp-e.com> > > Content-Type: text/plain; charset="us-ascii" > > > > Re Q1: I want to know is there any way to avoid this problem? I want > > thread T2 to call default RAND methods and avoid calling methods set > > by thread T1. This is not only for RAND methods, but for any other > > methods. > > > > First of all, I agree with Pauli: your first question should be, why > > do you need different random generators for different threads in the > > same application? Is this necessary, or are you overengineering? > > > > Let me clarify some details about the RNG implemention in OpenSSL > > 1.1.1.: The RAND_METHOD interface itself is not thread aware. It is > > only the new default RAND_METHOD implementation (added in 1.1.1.) of > > OpenSSL (RAND_OpenSSL()), which supports thread local random > > generators. The implementation is based on deterministic random bit > > generators (DRBG) as described in NIST.SP.800-90Ar1. Wenn a thread > > calls RAND_bytes() (resp. RAND_priv_bytes()), the call is forwarded to > > the thread-specific DRBG instance. All per-thread instances reseed > > from a single global DRBG instance, which in turn reseeds from? from > > random sources provided by the operating system. > > > > In your case, by replacing the RAND_METHOD, you are changing the > > complete RAND implementation for all threads. Moreover, you are > > completely responsible yourself for reseeding your RNG properly. > > > > You could however implement a smarter RAND_METHOD which calls your > > specific RNG for T1 and delegates to the thread local DRBG > > (RAND_DRBG_get0_public() resp. RAND_DRBG_get0_private()) for all other > > threads. To get an idea how it can be done, take a look at the default > > implementation of RAND_bytes(), drbg_bytes() in drbg_lib.c: > > > > > https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 > > > > > > > > > > > > Re Q2: Also, is it possible to run OpenSSL as separate instance per > > thread (where each thread can do its own OpenSSL initialization) so > > that they can avoid above mentioned problem? > > > > No. If you really need something like that, you might want to consider > > splitting your two threads into two processes. > > > > HTH, > > Matthias > > > > > > > > From: openssl-users On Behalf Of > > Dr Paul Dale > > Sent: Friday, April 2, 2021 8:51 AM > > To: openssl-users at openssl.org > > Subject: Re: Regarding RAND_set_rand_method > > > > There isn't an easy a way to do what you want in 1.1.1. > > RAND_set_rand_method replaces the RNG for all of OpenSSL.? In theory > > your RAND_METHOD could detect which thread it is running in and do > > different things for each.? I'm not sure this is a good idea however. > > > > Why aren't the random number from your first thread good enough for > > the second?? Good random numbers are just that - random.? It should be > > impossible to distinguish the two streams. > > > > In OpenSSL 3.0 there are ways to achieve what you're wanting. > > > > > > Pauli > > On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote: > > Hi, > > > > I have some doubts/questions on how to use methods (for ex: > > RAND_set_rand_method) in multi threaded application which use OpenSSL. > > In my application (running on OpenSSL 1.1.1d) there are two threads > > which use OpenSSL, both threads perform very different operations. The > > issue I am facing is as below: > > > > Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. > > This is very specific to T1s use case. When thread T2 wants to create > > SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I > > am observing that the function RAND_priv_bytes() is calling the > > function set by T1 by RAND_METHOD in RAND_set_rand_method(). > > > > Essentially RAND_METHOD function set by thread T1 are getting called > > by thread T2. > > > > Q1: I want to know is there any way to avoid this problem? I want > > thread T2 to call default RAND methods and avoid calling methods set > > by thread T1. This is not only for RAND methods, but for any other > > methods. > > > > Q2: Also, is it possible to run OpenSSL as separate instance per > > thread (where each thread can do its own OpenSSL initialization) so > > that they can avoid above mentioned problem? > > > > Thank you, > > Vishwanath M > > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > > > > > >> > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/pkcs7-signature > > Size: 7494 bytes > > Desc: not available > > URL: > > > > > >> > > > > ------------------------------ > > > > Subject: Digest Footer > > > > _______________________________________________ > > openssl-users mailing list > > openssl-users at openssl.org > > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > > > > > ------------------------------ > > > > End of openssl-users Digest, Vol 77, Issue 4 > > ******************************************** > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > ------------------------------ > > End of openssl-users Digest, Vol 77, Issue 6 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Mon Apr 5 09:52:02 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Mon, 5 Apr 2021 09:52:02 +0000 Subject: openssl-users Digest, Vol 77, Issue 6 In-Reply-To: <6440356e-a380-2284-b9c0-b1402792bb59@openssl.org> References: <6440356e-a380-2284-b9c0-b1402792bb59@openssl.org> Message-ID: <1000514466144cd5b14037299c09c9cf@ncp-e.com> > It isn't possible to do what you are wanting. RAND_METHOD replaces the RNG everywhere. It cannot be done on a per thread process. Well, technically it *is* possible. However, I'm still in doubt whether it is really necessary and should be done. The following example assumes you are compiling for linux (or another unix-ish os) and using pthreads: Assume that you recorded the thread id of your thread T1 (which you obtained from pthread_create()) in the static variable 'tid1'. Then you could take the code from [1] and modify it as follows: ``` static int my_rand_bytes(unsigned char *out, int count) { int ret; if (pthread_equal(pthread_self(), tid1) { // ... call your special RNG here } else { RAND_DRBG *drbg = RAND_DRBG_get0_public(); if (drbg == NULL) return 0; ret = RAND_DRBG_bytes(drbg, out, count); } return ret; } ``` This is just a rough sketch, note that there are more RAND_METHODs to be considered [2]. Matthias [1] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 [2] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L1146-L1153 From: openssl-users On Behalf Of Dr Paul Dale Sent: Monday, April 5, 2021 3:18 AM To: openssl-users at openssl.org Subject: Re: openssl-users Digest, Vol 77, Issue 6 Vishwanath, It isn't possible to do what you are wanting. RAND_METHOD replaces the RNG everywhere. It cannot be done on a per thread process. Pauli On 4/4/21 9:55 pm, Vishwanath Mahajanshetty wrote: Hi Paul, Thanks for your response. I understand the concern for good random numbers; but in this scenario when second thread calls SSL_CTX_new it is waiting forever in RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread are very specific for its own use case and can't be used by other treads. So I am thinking of using default OpenSSL RAND_METHOD for second thread and keep first thread (bind) to use its own random number generators. Please let me know how can I make one thread use default RAND_METHOD and keep other thread to use its own method. I have gone through RAND_bytes() and drbg_bytes() but not getting enough idea. It would be really helpful if you point out APIs which help me to achieve this requirement. Thank You, Vishwanath M -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From hmurray at megapathdsl.net Mon Apr 5 12:51:35 2021 From: hmurray at megapathdsl.net (Hal Murray) Date: Mon, 05 Apr 2021 05:51:35 -0700 Subject: EVP_MAC_init() in 3.0 alpha 13 Message-ID: <20210405125135.74ED3406061@ip-64-139-1-69.sjc.megapath.net> It used to take just a ctx. Now it also wants a key+length and a params. I have some simple/hack code to time 2 cases. The first gives it the key each time. The second preloads the key. That would require an evp per key, but I might we willing to make that space/time tradeoff. The each time mode of my old code put the cipher and key into a params array, then called EVP_MAC_CTX_set_params(ctx, params) and then EVP_MAC_init(ctx) That's easy to change. I just drop putting the key into a params slot and drop calling set_parms and add the key and parms to EVP_MAC_init. That worked. Is there a way to use a preloaded key? I tried using NULL for key and params when calling EVP_MAC_init. It compiles and runs but doesn't get the right answer. Is that, or something like it supposed to work? -------- EVP_MAC_CTX_set_params() seems ugly to me. My inner loop looks like: EVP_MAC_CTX_set_params() EVP_MAC_init() EVP_MAC_update() EVP_MAC_final() I'm trying to make things go fast. It's going to have to do string compares to figure out what I want to do. I'm working with small blocks of data (48 bytes) so the setup cost is important. Or I think it is, so I'm trying to measure it. The case I'm trying to get working is to move the EVP_MAC_CTX_set_params() out of the loop. -- These are my opinions. I hate spam. From wmk589 at yahoo.com Mon Apr 5 15:16:54 2021 From: wmk589 at yahoo.com (Boris Shpoungin) Date: Mon, 5 Apr 2021 15:16:54 +0000 (UTC) Subject: Porting to version 1.1.1 with old Linux kernel 3.0.8 References: <1579842495.588965.1617635814713.ref@mail.yahoo.com> Message-ID: <1579842495.588965.1617635814713@mail.yahoo.com> Hello, Is there minimal requirements for Linux kernel for usage of openssl library version 1.1.1? I have old application based on Linux kernel 3.0.8?which uses openssl version 1.0.2. My question is whether it is possible to port this application to use openssl version 1.1.1 in Linux 3.0.8 environment? If yes, then any useful info about "how to" will be greatly appreciated. ThanksRobert -------------- next part -------------- An HTML attachment was scrubbed... URL: From garcapradossergi76 at gmail.com Mon Apr 5 17:03:37 2021 From: garcapradossergi76 at gmail.com (=?UTF-8?Q?Sergio_Garc=C3=ADa?=) Date: Mon, 5 Apr 2021 19:03:37 +0200 Subject: How to get pub key from EC_KEY to vertify digest with ECDSA_do_verify function? Message-ID: Hi, I have a question regarding OpenSSL library. The question is explained here . Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From preethi.kavi17 at gmail.com Mon Apr 5 18:47:08 2021 From: preethi.kavi17 at gmail.com (preethi teekaraman) Date: Tue, 6 Apr 2021 00:17:08 +0530 Subject: Self Singed certificate creating "Unknown CA issue" Message-ID: Hi Openssl Users, I'm using different versions of openssl from 2014 to 2020 to create a self signed certificate. reference link for cert generation : https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 I could see "unknown CA " from client side while exchanging key between server and client. Here I'm using nginx server (load balancer) as server where i'm loading server cert and key and root cert in device. Any better suggestion or proper commands to create a self signed certificate. Regards, Preethi Teekaraman. -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Mon Apr 5 19:49:54 2021 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 5 Apr 2021 15:49:54 -0400 Subject: Porting to version 1.1.1 with old Linux kernel 3.0.8 In-Reply-To: <1579842495.588965.1617635814713@mail.yahoo.com> References: <1579842495.588965.1617635814713.ref@mail.yahoo.com> <1579842495.588965.1617635814713@mail.yahoo.com> Message-ID: <461D77A4-BCE6-4C52-A1FB-CFC2ED50A652@dukhovni.org> > On Apr 5, 2021, at 11:16 AM, Boris Shpoungin via openssl-users wrote: > > Is there minimal requirements for Linux kernel for usage of openssl library version 1.1.1? > > I have old application based on Linux kernel 3.0.8 which uses openssl version 1.0.2. My question is whether it is possible to port this application to use openssl version 1.1.1 in Linux 3.0.8 environment? The version of the Linux kernel is almost certainly irrelevant. OpenSSL makes minimal demands of the operating system. Only random number generation is plausibly something you need to think about. The getrandom(2) kernel API was added in Linux 3.17, so you'll need to use /dev/urandom instead. Otherwise, sockets, threads, ... are all present in Linux even before 3.0. -- Viktor. From wmk589 at yahoo.com Mon Apr 5 20:07:50 2021 From: wmk589 at yahoo.com (Boris Shpoungin) Date: Mon, 5 Apr 2021 20:07:50 +0000 (UTC) Subject: Porting to version 1.1.1 with old Linux kernel 3.0.8 In-Reply-To: <461D77A4-BCE6-4C52-A1FB-CFC2ED50A652@dukhovni.org> References: <1579842495.588965.1617635814713.ref@mail.yahoo.com> <1579842495.588965.1617635814713@mail.yahoo.com> <461D77A4-BCE6-4C52-A1FB-CFC2ED50A652@dukhovni.org> Message-ID: <559426246.57031.1617653270887@mail.yahoo.com> Thank you for response. Could you suggest best approach for porting application from 1.0.2 to 1.1.1? So far I've found good manual which describes required modifications: https://wiki.tizen.org/Security/Tizen_5.X_Migration_from_OpenSSL_1.0.2_to_OpenSSL_1.1.1_guide The question is whether it describes ALL required modification? On Monday, April 5, 2021, 03:57:36 PM EDT, Viktor Dukhovni wrote: > On Apr 5, 2021, at 11:16 AM, Boris Shpoungin via openssl-users wrote: > > Is there minimal requirements for Linux kernel for usage of openssl library version 1.1.1? > > I have old application based on Linux kernel 3.0.8 which uses openssl version 1.0.2. My question is whether it is possible to port this application to use openssl version 1.1.1 in Linux 3.0.8 environment? The version of the Linux kernel is almost certainly irrelevant.? OpenSSL makes minimal demands of the operating system.? Only random number generation is plausibly something you need to think about.? The getrandom(2) kernel API was added in Linux 3.17, so you'll need to use /dev/urandom instead. Otherwise, sockets, threads, ... are all present in Linux even before 3.0. -- ??? Viktor. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Mon Apr 5 21:36:45 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Tue, 6 Apr 2021 07:36:45 +1000 Subject: EVP_MAC_init() in 3.0 alpha 13 In-Reply-To: <20210405125135.74ED3406061@ip-64-139-1-69.sjc.megapath.net> References: <20210405125135.74ED3406061@ip-64-139-1-69.sjc.megapath.net> Message-ID: Does EVP_MAC_CTX_dup() after the MAC context has been initialised do what you want? Pauli On 5/4/21 10:51 pm, Hal Murray wrote: > It used to take just a ctx. Now it also wants a key+length and a params. > > I have some simple/hack code to time 2 cases. The first gives it the key each > time. The second preloads the key. That would require an evp per key, but I > might we willing to make that space/time tradeoff. > > The each time mode of my old code put the cipher and key into a params array, > then called > EVP_MAC_CTX_set_params(ctx, params) and then > EVP_MAC_init(ctx) > That's easy to change. I just drop putting the key into a params slot and > drop calling set_parms and add the key and parms to EVP_MAC_init. That worked. > > Is there a way to use a preloaded key? I tried using NULL for key and params > when calling EVP_MAC_init. It compiles and runs but doesn't get the right > answer. Is that, or something like it supposed to work? > > -------- > > EVP_MAC_CTX_set_params() seems ugly to me. > > My inner loop looks like: > EVP_MAC_CTX_set_params() > EVP_MAC_init() > EVP_MAC_update() > EVP_MAC_final() > > I'm trying to make things go fast. It's going to have to do string compares > to figure out what I want to do. I'm working with small blocks of data (48 > bytes) so the setup cost is important. Or I think it is, so I'm trying to > measure it. > > The case I'm trying to get working is to move the EVP_MAC_CTX_set_params() out > of the loop. > From Michal.Trojnara at stunnel.org Mon Apr 5 21:45:08 2021 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Mon, 5 Apr 2021 23:45:08 +0200 Subject: stunnel 5.59 released Message-ID: <779e0bb5-1826-499e-b1a4-df5bc8755b0c@stunnel.org> Dear Users, I have released version 5.59 of stunnel. ### Version 5.59, 2021.04.05, urgency: HIGH * Security bugfixes ? - OpenSSL DLLs updated to version 1.1.1k. * New features ? - Client-side "protocol = ldap" support (thx to Bart ??? Dopheide and Seth Grover). * Bugfixes ? - The test suite fixed not to require external connectivity. ? - Fixed paths in generated manuals (thx to Tatsuki Makino). ? - Fixed configuration reload when compression is used. ? - Fixed compilation with early releases of OpenSSL 1.1.1. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 137776df6be8f1701f1cd590b7779932e123479fb91e5192171c16798815ce9f stunnel-5.59.tar.gz c45fa3f70ecf0628d1f5985f2c11fedfc989bbc64db857def82ca7ee602fd8e0 stunnel-5.59-win64-installer.exe b56d91493631ff2b18e3e596fbb491892847f5671335c3f5e2307e174742ae44 stunnel-5.59-android.zip Best regards, ??? Mike From xiaonan830818 at gmail.com Tue Apr 6 05:48:25 2021 From: xiaonan830818 at gmail.com (Nan Xiao) Date: Tue, 6 Apr 2021 13:48:25 +0800 Subject: OpenSSL chain build error diagnostics - Re: Why does OpenSSL report google's certificate is "self-signed"? In-Reply-To: <2673da98-6691-6363-bcf6-387c116faaf5@ddvo.net> References: <2673da98-6691-6363-bcf6-387c116faaf5@ddvo.net> Message-ID: Hi David, Viktor and all other people, Thanks very much for all your detailed explanation and time! Best Regards Nan Xiao On Sun, Apr 4, 2021 at 3:21 AM David von Oheimb wrote: > > Hi Nan, Viktor, et al., > > From: openssl-users On Behalf Of Viktor Dukhovni Sent: Wednesday, 31 March, 2021 10:31 > > Most likely you haven't configured a suitable CAfile and/or CApath, > which contains the root CA that ultimately issued Google's certificate. > > Yeah, that is the usual reason. > > It looks like Google includes a self-signed root CA in the wire > certificate chain, > > Not really. @Viktor, see the diagnostic output of the alternative call > > openssl s_client -connect google.com:443 > > that Nan provided below (and which is easy to reproduce): > > --- > Certificate chain > 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = > *.google.com > i:C = US, O = Google Trust Services, CN = GTS CA 1O1 > 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 > i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign > --- > > This chain does not include the root cert (which would be by GlobalSign in this case). > > @all, contrbuting to the discussion that spawned over the last couple of days on whether the server should include the root of its chain: > IMO is should be advised not to include the root cert (i.e., the trust anchor). > While the (needless) extra amount of data is usually not a problem, > the main problem that I see is that the receiver may be mislead to accept the root cert as trusted although when received this way it is not trustworthy. > Instead, when verifying the server chain, the receiver must already have a trust store containing (root) certs that are considered trusted, > and for the chain received from the server there should be a suitable trust anchor (which typically takes the form of a self-signed cert) in that trust store. > > > and if no match is found in the trust store, > you'll get the reported error. > > The reason must be something else. Note that the error was X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, > which means that the chain built contains only one element, and this element is self-signed and not trusted. > So it cannot be the chain *.google.com -> GTS CA 1O1 -> GlobalSign. > > @Nan, I find this error very unexpected - something pretty strange must have happened in your application. > If no suitable trusted root is available in the trust store, the error thrown should have been > 20 ("unable to get local issuer certificate") = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. > > BTW, many of those OpenSSL verify error codes are IMHO pretty hard to (correctly) understand and therefore should be re-phrased for clarity. > And unfortunately OpenSSL by default does not give much further diagnostics on cert verification errors. > I advise using `X509_STORE_CTX_print_verify_cb()` which I added last year to the master as part of the CMP contribution. > This can be done simply as follows: > > X509_STORE_set_verify_cb(my_X509_STORE, X509_STORE_CTX_print_verify_cb); > > On X509_verify_cert() error, this provides in the error queue not only the error code and string, but also the cert for which the error occurred > as well as the set of untrusted certs and the set of trust anchor certs that were available for chain building in the current X509_STORE_CTX. > > Regards, > > David > > > On 31.03.21 07:49, Nan Xiao wrote: > > Hi OpenSSL users, > > Greetings from me! > > I am using the master branch of OpenSSL and testing client-arg program > (in demos/bio) with "google.com:443": > > # LD_LIBRARY_PATH=/root/openssl/build gdb --args ./client-arg -connect > "google.com:443" > ...... > (gdb) > 91 if (BIO_do_connect(sbio) <= 0) { > (gdb) > 97 if (BIO_do_handshake(sbio) <= 0) { > (gdb) p ssl->verify_result > $1 = 18 > > The connection is successful, but the ssl->verify_result is 18, i.e., > X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. I am a little confused why > OpenSSL reports google's certificate is "self-signed"? And it should > be not. The following result is from "openssl s_client": > > # openssl s_client -connect google.com:443 > CONNECTED(00000003) > depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign > verify return:1 > depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 > verify return:1 > depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN > = *.google.com > verify return:1 > --- > Certificate chain > 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = > *.google.com > i:C = US, O = Google Trust Services, CN = GTS CA 1O1 > 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 > i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign > --- > > Anyone can give some clues? Thanks very much in advance! > > Best Regards > Nan Xiao > From dipto181 at gmail.com Tue Apr 6 05:50:47 2021 From: dipto181 at gmail.com (Shariful Alam) Date: Mon, 5 Apr 2021 23:50:47 -0600 Subject: How to load a custom OpenSSL engine automatically? Message-ID: Hello, I have a custom OpenSSL engine for experiment purposes. I'm trying to load my engine automatically. I intend to use my custom engine instead of the default OpenSSL engine. I have installed *OpenSSL 1.1.1c *from the source code with, *./config --prefix=/opt/openssl -DOPENSSL_LOAD_CONF --openssldir=/opt/openssl/ssl * configuration. And add the following lines to my *openssl.cnf,* openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] rsa-engine-new = rsa_section [rsa_section] engine_id = rsa-engine-new #dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so <-- Uncomment this line cause segmentation fault after this, when I try to list available engine, I get the following error, ss at ss:/usr/local/lib$ openssl engine rsa-engine-new (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (rsa-engine-new) engine for testing 1 140659701942016:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:255: 140659701942016:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=rsa_section, name=oid_section, value=new_oids 140659701942016:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:177:module=engines, value=engine_section, retcode=-1 My engine is loading automatically and it is used as a default engine, but why I'm seeing those errors? And how can I fix it? Sincerely, Shariful Alam -------------- next part -------------- An HTML attachment was scrubbed... URL: From janjust at nikhef.nl Tue Apr 6 07:15:33 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Tue, 6 Apr 2021 09:15:33 +0200 Subject: Porting to version 1.1.1 with old Linux kernel 3.0.8 In-Reply-To: <559426246.57031.1617653270887@mail.yahoo.com> References: <1579842495.588965.1617635814713.ref@mail.yahoo.com> <1579842495.588965.1617635814713@mail.yahoo.com> <461D77A4-BCE6-4C52-A1FB-CFC2ED50A652@dukhovni.org> <559426246.57031.1617653270887@mail.yahoo.com> Message-ID: <7f7e8978-dc96-f5ab-1125-df081788d4e2@nikhef.nl> On 05/04/21 22:07, Boris Shpoungin via openssl-users wrote: > Thank you for response. > > Could you suggest best approach for porting application from 1.0.2 to > 1.1.1? > So far I've found good manual which describes required modifications: > https://wiki.tizen.org/Security/Tizen_5.X_Migration_from_OpenSSL_1.0.2_to_OpenSSL_1.1.1_guide > > The question is whether it describes ALL required modification? > I'd say you're better off asking this question on a Tizen mailing list; the list looks pretty exhaustive but does it list everything? only one way to find out: recompile your application using openssl 1.1.1 and see if/where it breaks. If you are worried about the combination of Linux 3.0.8 plus the switch from openssl 1.0.2 -> 1.1.1 then I'd suggest a three step process 1) build openssl 1.1.1 on your old kernel and run 'make test' if that passes, then openssl is functional ; if it does not pass these tests, then figure out what's wrong before proceeding 2) get yourself a Linux vm with a newer kernel and with a known-to-work openssl 1.1.1 (Fedora 33 & Ubuntu 20, CentOS 8 would work) then rebuild and relink your application on THAT platform, recording all required changes 3) finally, rebuild your ported application on the older Linux kernel HTH, JJK > On Monday, April 5, 2021, 03:57:36 PM EDT, Viktor Dukhovni > wrote: > > > > > On Apr 5, 2021, at 11:16 AM, Boris Shpoungin via openssl-users > > wrote: > > > > Is there minimal requirements for Linux kernel for usage of openssl > library version 1.1.1? > > > > I have old application based on Linux kernel 3.0.8 which uses > openssl version 1.0.2. My question is whether it is possible to port > this application to use openssl version 1.1.1 in Linux 3.0.8 environment? > > > The version of the Linux kernel is almost certainly irrelevant.? OpenSSL > makes minimal demands of the operating system.? Only random number > generation > is plausibly something you need to think about.? The getrandom(2) > kernel API > was added in Linux 3.17, so you'll need to use /dev/urandom instead. > > Otherwise, sockets, threads, ... are all present in Linux even before 3.0. > > -- > ??? Viktor. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janjust at nikhef.nl Tue Apr 6 08:27:33 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Tue, 6 Apr 2021 10:27:33 +0200 Subject: Porting to version 1.1.1 with old Linux kernel 3.0.8 In-Reply-To: <1579842495.588965.1617635814713@mail.yahoo.com> References: <1579842495.588965.1617635814713.ref@mail.yahoo.com> <1579842495.588965.1617635814713@mail.yahoo.com> Message-ID: On 05/04/21 17:16, Boris Shpoungin via openssl-users wrote: > Hello, > > Is there minimal requirements for Linux kernel for usage of openssl > library version 1.1.1? > > I have old application based on Linux kernel 3.0.8 which uses openssl > version 1.0.2. My question is whether it is possible to port this > application to use openssl version 1.1.1 in Linux 3.0.8 environment? > > If yes, then any useful info about "how to" will be greatly appreciated. > And FWIW: I just built and tested openssl 1.1.1k successfully on a 32bit CentOS 6 vm with kernel 2.6.32 - so if *THAT* works then surely kernel 3.0.8 will also work: All tests successful. Files=158, Tests=2635, 121 wallclock secs ( 1.21 usr? 0.15 sys + 98.81 cusr 10.06 csys = 110.23 CPU) Result: PASS HTH, JJK PS getting the tests to run on centos 6 was the biggest hurdle , not openssl itself -------------- next part -------------- An HTML attachment was scrubbed... URL: From hmurray at megapathdsl.net Tue Apr 6 10:49:51 2021 From: hmurray at megapathdsl.net (Hal Murray) Date: Tue, 06 Apr 2021 03:49:51 -0700 Subject: EVP_MAC_init() in 3.0 alpha 13 In-Reply-To: Message from Dr Paul Dale of "Tue, 06 Apr 2021 07:36:45 +1000." Message-ID: <20210406104951.EC31240605C@ip-64-139-1-69.sjc.megapath.net> pauli at openssl.org said: > Does EVP_MAC_CTX_dup() after the MAC context has been initialised > do what you want? Thanks. Adding a dup/free gets the right answer, but isn't much of a speedup. Is there a way to copy the critical bits into a working ctx? I looked in the header file but didn't see anything suspicious. -------- i5-3570 CPU @ 3.40GHz AES-128-CBC, 48 byte packets Times in microseconds. 1.1.1k: 0.339 CMAC 0.676 PKEY 0.236 PKEY preload alpha12: 0.933 CMAC 1.091 EVP_MAC 0.185 EVP_MAC Preload alpha13: 0.905 CMAC 0.463 EVP_MAC 0.359 EVP_MAC Preload with dup/free 0.123 EVP_MAC Preload without dup/free, WRONG ANSWER -- These are my opinions. I hate spam. From mahajanshetty at outlook.com Tue Apr 6 15:51:24 2021 From: mahajanshetty at outlook.com (Vishwanath Mahajanshetty) Date: Tue, 6 Apr 2021 15:51:24 +0000 Subject: openssl-users Digest, Vol 77, Issue 6 In-Reply-To: <1000514466144cd5b14037299c09c9cf@ncp-e.com> References: <6440356e-a380-2284-b9c0-b1402792bb59@openssl.org>, <1000514466144cd5b14037299c09c9cf@ncp-e.com> Message-ID: Hi Matthias, I tried the changes you suggested, it works well. Now T1 can call its own RNG and T2 calls its local DRBG. I don?t find any reasons why it can?t be done this way, may be there are some hidden issues which I have not seen yet but as of now it looks to be working fine. Thank you very much Matthias and Paul for your help on this. Regards, Vishwanath M From: Dr. Matthias St. Pierre Sent: 05 April 2021 03:22 PM To: Dr Paul Dale; Vishwanath Mahajanshetty; openssl-users at openssl.org Subject: RE: openssl-users Digest, Vol 77, Issue 6 > It isn't possible to do what you are wanting. RAND_METHOD replaces the RNG everywhere. It cannot be done on a per thread process. Well, technically it *is* possible. However, I?m still in doubt whether it is really necessary and should be done. The following example assumes you are compiling for linux (or another unix-ish os) and using pthreads: Assume that you recorded the thread id of your thread T1 (which you obtained from pthread_create()) in the static variable ?tid1?. Then you could take the code from [1] and modify it as follows: ``` static int my_rand_bytes(unsigned char *out, int count) { int ret; if (pthread_equal(pthread_self(), tid1) { // ... call your special RNG here } else { RAND_DRBG *drbg = RAND_DRBG_get0_public(); if (drbg == NULL) return 0; ret = RAND_DRBG_bytes(drbg, out, count); } return ret; } ``` This is just a rough sketch, note that there are more RAND_METHODs to be considered [2]. Matthias [1] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970 [2] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L1146-L1153 [NCP engingeering GmbH] Dr. Matthias St. Pierre Senior Software Engineer matthias.st.pierre at ncp-e.com Phone: +49 911 9968-0 www.ncp-e.com Follow us on: Facebook | Twitter | Xing | YouTube | LinkedIn Headquarters Germany: NCP engineering GmbH ? Dombuehler Str. 2 ? 90449 ? Nuremberg North American HQ: NCP engineering Inc. ? 601 Cleveland Str., Suite 501-25 ? Clearwater, FL 33755 Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate Dietrich Registry Court: Lower District Court of Nuremberg Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: DE 133557619 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - L?ngere Support-Antwortzeiten durch erh?htes Anfrage-Aufkommen Aufgrund des anhaltend hohen Anfrage-Aufkommens im Bereich Support und System Engineering kann es aktuell zu l?ngeren Antwortzeiten kommen. Wir setzen alles daran, Ihre Anfragen so schnell wie m?glich zu beantworten. Wir bitten Sie hier vorsorglich um Geduld und danken Ihnen f?r Ihr Verst?ndnis. Longer support response times due to high number of requests Due to the continuing high volume of requests, support and system engineering response times may be longer than expected at present. We will do our best to answer your requests as soon as possible. We ask for your patience during this time and appreciate your understanding. This e-mail message including any attachments is for the sole use of the intended recipient(s) and may contain privileged or confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and delete the original message and destroy all copies thereof. From: openssl-users On Behalf Of Dr Paul Dale Sent: Monday, April 5, 2021 3:18 AM To: openssl-users at openssl.org Subject: Re: openssl-users Digest, Vol 77, Issue 6 Vishwanath, It isn't possible to do what you are wanting. RAND_METHOD replaces the RNG everywhere. It cannot be done on a per thread process. Pauli On 4/4/21 9:55 pm, Vishwanath Mahajanshetty wrote: Hi Paul, Thanks for your response. I understand the concern for good random numbers; but in this scenario when second thread calls SSL_CTX_new it is waiting forever in RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread are very specific for its own use case and can?t be used by other treads. So I am thinking of using default OpenSSL RAND_METHOD for second thread and keep first thread (bind) to use its own random number generators. Please let me know how can I make one thread use default RAND_METHOD and keep other thread to use its own method. I have gone through RAND_bytes() and drbg_bytes() but not getting enough idea. It would be really helpful if you point out APIs which help me to achieve this requirement. Thank You, Vishwanath M -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: NCP_logo_2f45208a-c14d-4000-bcd3-1ab400c0e48c.gif Type: image/gif Size: 2815 bytes Desc: NCP_logo_2f45208a-c14d-4000-bcd3-1ab400c0e48c.gif URL: From tkogan at cincom.com Tue Apr 6 17:45:08 2021 From: tkogan at cincom.com (Tamara Kogan) Date: Tue, 6 Apr 2021 13:45:08 -0400 Subject: Using SSL_CTX_set_min_proto_version Message-ID: Hello, In our client application we are trying to set TLS 1.2 in ClientHello message. The OpenSSL version is 1.1.1h We use the function SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION); If I test the version right after setting it does return 1.2 SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION But the ClientHello is still created with TLS 1.0 (16 03 01 01 42?) Any explanation why the ClientHello message ignores min TLS version? Any suggestion how to enforce 1.2 version? Thanks, Tamara -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Tue Apr 6 18:13:02 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 6 Apr 2021 19:13:02 +0100 Subject: Using SSL_CTX_set_min_proto_version In-Reply-To: References: Message-ID: <83b99d25-b7c9-9199-4f26-c0d1bda2aae1@openssl.org> On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote: > Hello, > > ?In our client application we are trying to set TLS 1.2 in ClientHello > message. The OpenSSL version is 1.1.1h > > We use the function > > SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION); > If I test the version right after setting it does return 1.2 > SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION > > But the ClientHello is still created with TLS 1.0 > (16 03 01 01 42?) > > Any explanation why the ClientHello message ignores min TLS version? > Any suggestion how to enforce 1.2 version? You are looking at the *record layer* TLS version. This is always 1.0 in the ClientHello, regardless of what TLS protocol version is actually being requested. TLS protocol version fields are a bit of a minefield of confusion and unexpected behaviour. For example in an OpenSSL TLSv1.3 ClientHello the record layer protocol version will be set to TLSv1.0, the ClientHello message itself will have the protocol version set to TLSv1.2, and the supported versions extension will list the actual supported versions (i.e. in your case it would be TLSv1.3 and TLSv1.2). Matt From xiaonan830818 at gmail.com Wed Apr 7 02:14:42 2021 From: xiaonan830818 at gmail.com (Nan Xiao) Date: Wed, 7 Apr 2021 10:14:42 +0800 Subject: How to dump all certificates from a file? Message-ID: Hi OpenSSL users, Greetings from me! By default openssl-x509 can only dump one certificate from the file: # openssl x509 --in /etc/ssl/cacert.pem --text --noout Certificate: Data: Version: 3 (0x2) Serial Number: 84:82:2c:5f:1c:62:d0:40 Signature Algorithm: sha256WithRSAEncryption ...... I checked the code (https://github.com/openssl/openssl/blob/493e78986f9677c2b321273da51c276b9a8182d8/apps/lib/apps.c#L945): it seems openssl-x509 only dumps the first valid one. I also went through the manual (https://www.openssl.org/docs/man1.1.1/man1/openssl-x509.html), and can't find a method to dump all certificates. Could anyone give some clues in dumping all certificates from a file? Thanks very much in advance! Best Regards Nan Xiao From openssl-users at dukhovni.org Wed Apr 7 02:36:38 2021 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 6 Apr 2021 22:36:38 -0400 Subject: How to dump all certificates from a file? In-Reply-To: References: Message-ID: On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote: > Greetings from me! By default openssl-x509 can only dump one > certificate from the file: By "a file" you clearly mean a "PEM file" with one or more certificates exclosed in "-----BEGIN ...".."-----END ..." delimiters. With that proviso, the command in question is: openssl crl2pkcs7 -nocrl -certfile somefile.pem | opessl pkcs7 -print_certs -text The output format can be tweaked slightly, though not quite as much as will "openssl x509". See the pkcs7(1) manpage for details. -- Viktor. From xiaonan830818 at gmail.com Wed Apr 7 02:58:38 2021 From: xiaonan830818 at gmail.com (Nan Xiao) Date: Wed, 7 Apr 2021 10:58:38 +0800 Subject: How to dump all certificates from a file? In-Reply-To: References: Message-ID: Hi Viktor, > By "a file" you clearly mean a "PEM file" with one or more certificates exclosed in "-----BEGIN ...".."-----END ..." delimiters. Yes, this is what I mean. > openssl crl2pkcs7 -nocrl -certfile somefile.pem | opessl pkcs7 -print_certs -text Works like a charm! Thanks very much for your time and quick response! Best Regards Nan Xiao On Wed, Apr 7, 2021 at 10:46 AM Viktor Dukhovni wrote: > > On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote: > > > Greetings from me! By default openssl-x509 can only dump one > > certificate from the file: > > By "a file" you clearly mean a "PEM file" with one or more certificates > exclosed in "-----BEGIN ...".."-----END ..." delimiters. With that > proviso, the command in question is: > > openssl crl2pkcs7 -nocrl -certfile somefile.pem | > opessl pkcs7 -print_certs -text > > The output format can be tweaked slightly, though not quite as much as > will "openssl x509". See the pkcs7(1) manpage for details. > > -- > Viktor. From dev at ddvo.net Wed Apr 7 06:18:15 2021 From: dev at ddvo.net (David von Oheimb) Date: Wed, 7 Apr 2021 08:18:15 +0200 Subject: How to dump all certificates from a file? In-Reply-To: References: Message-ID: I also had this problem several years back but did not find the nifty though counter-intuitive workaround using cr2pkcs7 given below. Since then I've been using a Perl script like this: > #!/usr/bin/perl > $/ = '-----END CERTIFICATE-----'; > while(<>) { > if(m|$/|s) { > print STDERR "########## $ARGV ##########\n"; > system "echo '$_' | openssl x509 -noout -text"; > } > } which unfortunately does not work with "TRUSTED CERTIFICATE". I think the x509 command should be extended to print all certs. David On 7 April 2021 04:58:38 CEST, Nan Xiao wrote: > Hi Viktor, > > > By "a file" you clearly mean a "PEM file" with one or more certificates > exclosed in "-----BEGIN ...".."-----END ..." delimiters. > > Yes, this is what I mean. > > > openssl crl2pkcs7 -nocrl -certfile somefile.pem | > opessl pkcs7 -print_certs -text > > Works like a charm! Thanks very much for your time and quick response! > > Best Regards > Nan Xiao > > On Wed, Apr 7, 2021 at 10:46 AM Viktor Dukhovni > wrote: > > > > On Wed, Apr 07, 2021 at 10:14:42AM +0800, Nan Xiao wrote: > > > > > Greetings from me! By default openssl-x509 can only dump one > > > certificate from the file: > > > > By "a file" you clearly mean a "PEM file" with one or more certificates > > exclosed in "-----BEGIN ...".."-----END ..." delimiters. With that > > proviso, the command in question is: > > > > openssl crl2pkcs7 -nocrl -certfile somefile.pem | > > opessl pkcs7 -print_certs -text > > > > The output format can be tweaked slightly, though not quite as much as > > will "openssl x509". See the pkcs7(1) manpage for details. > > > > -- > > Viktor. > From tkogan at cincom.com Wed Apr 7 14:22:13 2021 From: tkogan at cincom.com (Tamara Kogan) Date: Wed, 7 Apr 2021 10:22:13 -0400 Subject: Using SSL_CTX_set_min_proto_version In-Reply-To: References: Message-ID: <2D4DC68C-1057-4DB7-BE04-5B66DD1A4AA9@cincom.com> > From: Matt Caswell > Subject: Re: Using SSL_CTX_set_min_proto_version > Date: April 6, 2021 at 2:13:02 PM EDT > To: openssl-users at openssl.org > > > On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote: >> Hello, >> In our client application we are trying to set TLS 1.2 in ClientHello message. The OpenSSL version is 1.1.1h >> We use the function >> SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION); >> If I test the version right after setting it does return 1.2 >> SSL_CTX_get_proto_version(ssl->ctx) == TLS1_2_VERSION >> But the ClientHello is still created with TLS 1.0 >> (16 03 01 01 42?) >> Any explanation why the ClientHello message ignores min TLS version? >> Any suggestion how to enforce 1.2 version? > > You are looking at the *record layer* TLS version. This is always 1.0 in the ClientHello, regardless of what TLS protocol version is actually being requested. TLS protocol version fields are a bit of a minefield of confusion and unexpected behaviour. For example in an OpenSSL TLSv1.3 ClientHello the record layer protocol version will be set to TLSv1.0, the ClientHello message itself will have the protocol version set to TLSv1.2, and the supported versions extension will list the actual supported versions (i.e. in your case it would be TLSv1.3 and TLSv1.2). > > Matt > I have not found any confirmation in TLS specs that the ?record layer? version must be 1.0. TLS 1.1 https://tools.ietf.org/html/rfc4346#appendix-A.1 TLS 1.2 https://tools.ietf.org/html/rfc5246#appendix-A.1 TLS 1.3 https://tools.ietf.org/html/rfc8446#appendix-B.1 Our client failed to connect to a mail server when the server changed settings and limited TLS versions to 1.2 only. The server parsed the first three bytes of ClientHello, detected 1.0 version and closed the connection. Then it was a half of a day debugging OpenSSL in attempt to understand why SSL_CTX_set_min_proto_version doesn?t make any difference. Now the server was updated and it still doesn?t accept ClientHello with 1.0 but at least the server sends ?ChangeCipherSpec Message? message and the client resends ClientHello with 1.2. As a result in order to be connected the client has an extra message exchange. From my point of view the ?Record Layer? ProtocolVersion has to be settable. Tamara -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Wed Apr 7 14:52:35 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 7 Apr 2021 15:52:35 +0100 Subject: Using SSL_CTX_set_min_proto_version In-Reply-To: <2D4DC68C-1057-4DB7-BE04-5B66DD1A4AA9@cincom.com> References: <2D4DC68C-1057-4DB7-BE04-5B66DD1A4AA9@cincom.com> Message-ID: <8706c885-a103-7678-4bee-e041b273f18e@openssl.org> On 07/04/2021 15:22, Tamara Kogan via openssl-users wrote: > I have not found any confirmation in TLS specs that the ?record layer? > version must be 1.0. I did not mean to imply that the specs say that the record layer version *must* be 1.0. Only that that is what OpenSSL *does*. In fact the earlier versions of the SSL/TLS specs were quite ambiguous and unclear on this matter. It is partly for this reason and partly because of a proliferation a buggy server implementations that TLS version negotiation became the mess that it is today. The current OpenSSL behaviour was chosen as a result of trying to go with the behaviour that gives the maximum interoperability whilst being entirely consistent with the specs. The TLSv1.2 RFC was more explicit about what is allowed for the record layer version in the ClientHello message that the earlier versions: "TLS clients that wish to negotiate with older servers MAY send any value {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest version number supported by the client, and the value of ClientHello.client_version. No single value will guarantee interoperability with all old servers, but this is a complex topic beyond the scope of this document." TLSv1.3 says something different about it: "legacy_record_version: MUST be set to 0x0303 for all records generated by a TLS 1.3 implementation other than an initial ClientHello (i.e., one not generated after a HelloRetryRequest), where it MAY also be 0x0301 for compatibility purposes. This field is deprecated and MUST be ignored for all purposes. Previous versions of TLS would use other values in this field under some circumstances." > Our client failed to connect to a mail server when the server changed > settings and limited ?TLS versions to ?1.2 only. The server parsed the > first three bytes of ClientHello, detected 1.0 version and closed the > connection. Then, IMO, this server is buggy and not consistent with the TLSv1.2 spec. Matt From wmk589 at yahoo.com Wed Apr 7 18:31:18 2021 From: wmk589 at yahoo.com (Boris Shpoungin) Date: Wed, 7 Apr 2021 18:31:18 +0000 (UTC) Subject: Compilation issue with 1.1.1k version References: <499417966.502682.1617820278918.ref@mail.yahoo.com> Message-ID: <499417966.502682.1617820278918@mail.yahoo.com> Hello, I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi)?to compile openssl library for arm based custom board. I had no problems to compile version 1.1.1a, however I am having troubles to compile versions 1.1.1i and 1.1.1k: ${LDCMD:-arm-hisiv200-linux-gnueabi-gcc} -pthread -Wa,--noexecstack -Wall -O3 -L.? ?\ -o apps/openssl apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_client.o apps/s_server.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/storeutl.o apps/ts.o apps/verify.o apps/version.o apps/x509.o \ apps/libapps.a -lssl -lcrypto -ldl -pthread?./libcrypto.so: undefined reference to `set_sys_error'collect2: ld returned 1 exit statusMakefile:6271: recipe for target 'apps/openssl' failedmake[1]: *** [apps/openssl] Error 1make[1]: Leaving directory '/home/bshpungin/tools/openssl/1.1.1k'Makefile:174: recipe for target 'all' failedmake: *** [all] Error 2 Can anyone advise what could be the problem and where?set_sys_error function/macro is defined? ThanksRobert -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Wed Apr 7 18:39:22 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 7 Apr 2021 19:39:22 +0100 Subject: Compilation issue with 1.1.1k version In-Reply-To: <499417966.502682.1617820278918@mail.yahoo.com> References: <499417966.502682.1617820278918.ref@mail.yahoo.com> <499417966.502682.1617820278918@mail.yahoo.com> Message-ID: On 07/04/2021 19:31, Boris Shpoungin via openssl-users wrote: > Hello, > > I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi) to > compile openssl library for arm based custom board. > I had no problems to compile version 1.1.1a, however I am having > troubles to compile versions 1.1.1i and 1.1.1k: > > ${LDCMD:-arm-hisiv200-linux-gnueabi-gcc} -pthread -Wa,--noexecstack > -Wall -O3 -L.? ?\ > -o apps/openssl apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o > apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o > apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o > apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o > apps/ocsp.o apps/openssl.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o > apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o > apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o > apps/s_client.o apps/s_server.o apps/s_time.o apps/sess_id.o > apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/storeutl.o > apps/ts.o apps/verify.o apps/version.o apps/x509.o \ > apps/libapps.a -lssl -lcrypto -ldl -pthread > ./libcrypto.so: undefined reference to `set_sys_error' > collect2: ld returned 1 exit status > Makefile:6271: recipe for target 'apps/openssl' failed > make[1]: *** [apps/openssl] Error 1 > make[1]: Leaving directory '/home/bshpungin/tools/openssl/1.1.1k' > Makefile:174: recipe for target 'all' failed > make: *** [all] Error 2 > > Can anyone advise what could be the problem and where set_sys_error > function/macro is defined? It's a macro defined in the file e_os.h: # define set_sys_error(e) errno=(e) It's only used in 2 files(crypto/dso/dso_dlfcn.c and crypto/err/err.c), both of which directly include e_os.h. It's quite strange that the definition of the macro is not being picked up. Matt > > Thanks > Robert From matt at openssl.org Wed Apr 7 19:04:54 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 7 Apr 2021 20:04:54 +0100 Subject: Compilation issue with 1.1.1k version In-Reply-To: <1951282708.510667.1617822134592@mail.yahoo.com> References: <499417966.502682.1617820278918.ref@mail.yahoo.com> <499417966.502682.1617820278918@mail.yahoo.com> <1951282708.510667.1617822134592@mail.yahoo.com> Message-ID: <1b32d35e-48e5-a5d5-bd55-4280f9a3e020@openssl.org> On 07/04/2021 20:02, Boris Shpoungin wrote: > In my sources there is no definition for that macro, this is the problem: > > user at ubuntu_dev_vm:~/tools/openssl/1.1.1k$ grep -HRn 'set_sys_error' . > ./crypto/err/err.c:259:? ? set_sys_error(saveerrno); > ./crypto/err/err.c:750:? ? set_sys_error(saveerrno); > ./crypto/err/err.c:784:? ? set_sys_error(saveerrno); > ./crypto/dso/dso_dlfcn.c:126:? ? set_sys_error(saveerrno); Seems you have corrupt sources. For me: $ grep -HRn 'set_sys_error' crypto/err/err.c:259: set_sys_error(saveerrno); crypto/err/err.c:750: set_sys_error(saveerrno); crypto/err/err.c:784: set_sys_error(saveerrno); crypto/dso/dso_dlfcn.c:126: set_sys_error(saveerrno); e_os.h:77:# define set_sys_error(e) errno=(e) e_os.h:95:# undef set_sys_error e_os.h:98:# define set_sys_error(e) SetLastError(e) Matt > > Any idea why? > Thanks > > On Wednesday, April 7, 2021, 02:39:46 PM EDT, Matt Caswell > wrote: > > > > > On 07/04/2021 19:31, Boris Shpoungin via openssl-users wrote: > > Hello, > > > > I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi) to > > compile openssl library for arm based custom board. > > I had no problems to compile version 1.1.1a, however I am having > > troubles to compile versions 1.1.1i and 1.1.1k: > > > > ${LDCMD:-arm-hisiv200-linux-gnueabi-gcc} -pthread -Wa,--noexecstack > > -Wall -O3 -L.? ?\ > > -o apps/openssl apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o > > apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o > > apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o > > apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o > > apps/ocsp.o apps/openssl.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o > > apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o > > apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o > > apps/s_client.o apps/s_server.o apps/s_time.o apps/sess_id.o > > apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/storeutl.o > > apps/ts.o apps/verify.o apps/version.o apps/x509.o \ > > apps/libapps.a -lssl -lcrypto -ldl -pthread > > ./libcrypto.so: undefined reference to `set_sys_error' > > collect2: ld returned 1 exit status > > Makefile:6271: recipe for target 'apps/openssl' failed > > make[1]: *** [apps/openssl] Error 1 > > make[1]: Leaving directory '/home/bshpungin/tools/openssl/1.1.1k' > > Makefile:174: recipe for target 'all' failed > > make: *** [all] Error 2 > > > > Can anyone advise what could be the problem and where set_sys_error > > function/macro is defined? > > It's a macro defined in the file e_os.h: > > # define set_sys_error(e)? ? ? ? errno=(e) > > It's only used in 2 files(crypto/dso/dso_dlfcn.c and crypto/err/err.c), > both of which directly include e_os.h. It's quite strange that the > definition of the macro is not being picked up. > > Matt > > > > > > Thanks > > Robert From fabpet at gmail.com Thu Apr 8 08:53:16 2021 From: fabpet at gmail.com (Fabio) Date: Thu, 8 Apr 2021 10:53:16 +0200 Subject: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL 1.1.1j Message-ID: Hi all, I have a problem upgrading my code from openssl 1.0 to the last 1.1.1j. Using an older version, I exported the CMS code in order to extend and modify some calculations. I used i2d_CMS_bio_stream to convert the struct to DER. Using OpenSSL 1.1.1j i had to change all the DECLARE_STACK_OF in DEFINE_STACK_OF but now, i2d_CMS_bio_stream produces a broken DER. In particular when in the code i add a stack to the structure and push some struct into the stack, i2d_CMS_bio_stream does not write correctly the SEQUENCE (instead i get some 0x06 0x82 0x30 0x82)... What should i do to fix this? Thanks. FP -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Apr 8 12:39:33 2021 From: openssl at openssl.org (OpenSSL) Date: Thu, 8 Apr 2021 12:39:33 +0000 Subject: OpenSSL version 3.0.0-alpha14 published Message-ID: <20210408123933.GA27472@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 14 released ===================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 14 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha14.tar.gz Size: 14392548 SHA1 checksum: 255708727c8772f930d1058d723341d68d6ed005 SHA256 checksum: 78a935e1d314d66cccaa68931702a52d42015b47c3c44bec631de9f5705cb6c0 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha14.tar.gz openssl sha256 openssl-3.0.0-alpha14.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmBu8/oACgkQ2cTSbQ5g RJHWPAf/QqZmFy8ukDYogNnOYb6dJIccXM2603+RU587PBN2hb7yFXo0T/ODs2q/ LgU4xRd2leks1IkEPlBn6XeJPwyLVKGXieRHvZzoZFSML+R+ZcwvZc9c7tdHcACn dsrOTvJkFcawI++BErtZdE03VHq0dxDfTCBHPgm7rvzkBPFPMBqoO7cwcu9z09SJ mv9wK45uDP6jNdxkTrLv4YRa9AYW7Ya8wfZvxxSLMji8L5yUpZoezo7vvzOim4A0 CwMUoIFJnkfS2aYGm15LDbMzh2x0qQ1WQNxL0zWByz6BGp+EfvC/sXOnNZC3lOdb TMpJgX9Jdhrl6SNfARp1Fou/j6uDcg== =2FSP -----END PGP SIGNATURE----- From wmk589 at yahoo.com Fri Apr 9 20:03:28 2021 From: wmk589 at yahoo.com (Robert Smith) Date: Fri, 9 Apr 2021 20:03:28 +0000 (UTC) Subject: Symbols X509_set_notAfter and X509_set_notBefore are missing References: <1449495576.408991.1617998608784.ref@mail.yahoo.com> Message-ID: <1449495576.408991.1617998608784@mail.yahoo.com> Hello, I am porting application from openSSL version 1.0.2u to 1.1.1k and linker complaints that symbols?X509_set_notAfter and?X509_set_notBefore are missing. I've checked both?versions 1.0.2u and 1.1.1k and I see that these symbols really?are not present in?1.1.1k.? user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.0.2u/lib/libcrypto.so.1.0.0 | grep X509_set_not00110994 T X509_set_notAfter001109fc T X509_set_notBefore user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.1.1k/libcrypto.so.1.1 | grep X509_set_not user at ubuntu_dev_vm:~/tools/openssl$? I use default builds with NO limiting defines?OPENSSL_API_COMPAT as described in the wiki :?https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes Can anyone clarify how to resolve the issue with X509_set_notAfter and?X509_set_notBefore?symbols. ThanksRobert -------------- next part -------------- An HTML attachment was scrubbed... URL: From bkaduk at akamai.com Fri Apr 9 20:12:02 2021 From: bkaduk at akamai.com (Benjamin Kaduk) Date: Fri, 9 Apr 2021 13:12:02 -0700 Subject: Symbols X509_set_notAfter and X509_set_notBefore are missing In-Reply-To: <1449495576.408991.1617998608784@mail.yahoo.com> References: <1449495576.408991.1617998608784.ref@mail.yahoo.com> <1449495576.408991.1617998608784@mail.yahoo.com> Message-ID: <20210409201202.GV25665@akamai.com> They are macros now. You should still be able to build code that uses them. -Ben On Fri, Apr 09, 2021 at 08:03:28PM +0000, Robert Smith via openssl-users wrote: > Hello, > I am porting application from openSSL version 1.0.2u to 1.1.1k and linker complaints that symbols?X509_set_notAfter and?X509_set_notBefore are missing. > > I've checked both?versions 1.0.2u and 1.1.1k and I see that these symbols really?are not present in?1.1.1k.? > user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.0.2u/lib/libcrypto.so.1.0.0 | grep X509_set_not00110994 T X509_set_notAfter001109fc T X509_set_notBefore user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.1.1k/libcrypto.so.1.1 | grep X509_set_not user at ubuntu_dev_vm:~/tools/openssl$? > I use default builds with NO limiting defines?OPENSSL_API_COMPAT as described in the wiki :?https://urldefense.com/v3/__https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes__;!!GjvTz_vk!BsiPUDmweh0jSUO9gmeu60lRgq1aIS7FPk1Q6SJsI7kns9h5ZO64IagBa0aJZA$ > > Can anyone clarify how to resolve the issue with X509_set_notAfter and?X509_set_notBefore?symbols. > > ThanksRobert From wmk589 at yahoo.com Fri Apr 9 20:48:06 2021 From: wmk589 at yahoo.com (Robert Smith) Date: Fri, 9 Apr 2021 20:48:06 +0000 (UTC) Subject: Symbols X509_set_notAfter and X509_set_notBefore are missing In-Reply-To: <20210409201202.GV25665@akamai.com> References: <1449495576.408991.1617998608784.ref@mail.yahoo.com> <1449495576.408991.1617998608784@mail.yahoo.com> <20210409201202.GV25665@akamai.com> Message-ID: <666375494.439809.1618001286205@mail.yahoo.com> Unfortunately I am unable to link: ../bin/arm_release/libAppcrypt.a(Certificate.o): In function `CreateCertificateHandler':/home/user/trunk/common/App/Crypt/ATCL/Certificate.cpp:198: undefined reference to `X509_set_notBefore'/home/user/trunk/common/App/Crypt/ATCL/Certificate.cpp:202: undefined reference to `X509_set_notAfter' Any idea? On Friday, April 9, 2021, 04:13:32 PM EDT, Benjamin Kaduk wrote: They are macros now.? You should still be able to build code that uses them. -Ben On Fri, Apr 09, 2021 at 08:03:28PM +0000, Robert Smith via openssl-users wrote: > Hello, > I am porting application from openSSL version 1.0.2u to 1.1.1k and linker complaints that symbols?X509_set_notAfter and?X509_set_notBefore are missing. > > I've checked both?versions 1.0.2u and 1.1.1k and I see that these symbols really?are not present in?1.1.1k.? > user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.0.2u/lib/libcrypto.so.1.0.0 | grep X509_set_not00110994 T X509_set_notAfter001109fc T X509_set_notBefore user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.1.1k/libcrypto.so.1.1 | grep X509_set_not user at ubuntu_dev_vm:~/tools/openssl$? > I use default builds with NO limiting defines?OPENSSL_API_COMPAT as described in the wiki :?https://urldefense.com/v3/__https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes__;!!GjvTz_vk!BsiPUDmweh0jSUO9gmeu60lRgq1aIS7FPk1Q6SJsI7kns9h5ZO64IagBa0aJZA$ > > Can anyone clarify how to resolve the issue with X509_set_notAfter and?X509_set_notBefore?symbols. > > ThanksRobert -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcoombs at carillon.ca Sat Apr 10 13:09:23 2021 From: dcoombs at carillon.ca (Dave Coombs) Date: Sat, 10 Apr 2021 09:09:23 -0400 Subject: Symbols X509_set_notAfter and X509_set_notBefore are missing In-Reply-To: <666375494.439809.1618001286205@mail.yahoo.com> References: <1449495576.408991.1617998608784.ref@mail.yahoo.com> <1449495576.408991.1617998608784@mail.yahoo.com> <20210409201202.GV25665@akamai.com> <666375494.439809.1618001286205@mail.yahoo.com> Message-ID: <2973f70b3a633fbba4a7f6ac13bb090a3ddbdf88.camel@carillon.ca> Is there a chance you're compiling using the 1.0.2 headers but linking against 1.1.1? -D. On Fri, 2021-04-09 at 20:48 +0000, Robert Smith via openssl-users wrote: > Unfortunately I am unable to link: > > ../bin/arm_release/libAppcrypt.a(Certificate.o): In function `CreateCertificateHandler': > /home/user/trunk/common/App/Crypt/ATCL/Certificate.cpp:198: undefined reference to `X509_set_notBefore' > /home/user/trunk/common/App/Crypt/ATCL/Certificate.cpp:202: undefined reference to `X509_set_notAfter' > > Any idea? > > > On Friday, April 9, 2021, 04:13:32 PM EDT, Benjamin Kaduk wrote: > > > They are macros now. You should still be able to build code that uses them. > > -Ben > > On Fri, Apr 09, 2021 at 08:03:28PM +0000, Robert Smith via openssl-users wrote: > > Hello, > > I am porting application from openSSL version 1.0.2u to 1.1.1k and linker complaints that symbols X509_set_notAfter and X509_set_notBefore are missing. > > > > I've checked both versions 1.0.2u and 1.1.1k and I see that these symbols really are not present in 1.1.1k. > > user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.0.2u/lib/libcrypto.so.1.0.0 | grep X509_set_not00110994 T X509_set_notAfter001109fc T X509_set_notBefore user at ubuntu_dev_vm:~/tools/openssl$ nm -D --defined-only 1.1.1k/libcrypto.so.1.1 | grep X509_set_not user at ubuntu_dev_vm:~/tools/openssl$ > > I use default builds with NO limiting defines OPENSSL_API_COMPAT as described in the wiki : https://urldefense.com/v3/__https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes__;!!GjvTz_vk!BsiPUDmweh0jSUO9gmeu60lRgq1aIS7FPk1Q6SJsI7kns9h5ZO64IagBa0aJZA$ > > > > > Can anyone clarify how to resolve the issue with X509_set_notAfter and X509_set_notBefore symbols. > > > > ThanksRobert -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7151 bytes Desc: not available URL: From dipto181 at gmail.com Sun Apr 11 19:04:06 2021 From: dipto181 at gmail.com (Shariful Alam) Date: Sun, 11 Apr 2021 13:04:06 -0600 Subject: =?UTF-8?B?ZXJyb3I6IHJlZGVmaW5pdGlvbiBvZiDigJhzdHJ1Y3QgcnNhX21ldGhfc3TigJk=?= Message-ID: Hello, Hope you guys are doing well. I'm trying to develop an RSA engine. My engine was somewhat working until I try to integrate my engine with an apache httpd server. After installing the httpd from the source code, it turns out that, I can't compile my engine anymore. I get the following error while I try to compile (it was compiling before and I did not make any changes to my engine code). ============================== *$gcc -fPIC -c r_engine.c* *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? struct rsa_meth_st { ^In file included from /usr/include/openssl/crypto.h:131:0, from r_engine.c:7:/usr/include/openssl/ossl_typ.h:147:16: note: originally defined here typedef struct rsa_meth_st RSA_METHOD;* ============================= and my *struct rsa_meth_st *looks like the following, ================================================================================ *struct rsa_meth_st { const char *name; int (*rsa_pub_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); int (*rsa_pub_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); int (*rsa_priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); int (*rsa_priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); int (*init) (RSA *rsa); int (*finish) (RSA *rsa); int flags; char *app_data; int (*rsa_sign) (int type, const unsigned char *m, unsigned int m_length, unsigned char *sigret, unsigned int *siglen, const RSA *rsa); int (*rsa_verify) (int dtype, const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, const RSA *rsa); int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);};* ================================================================================= My sample skeleton code is here https://pastebin.com/uNXYknEA Can anyone please tell me what I'm I doing wrong? Regards, Shariful Alam -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Sun Apr 11 23:59:48 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Mon, 12 Apr 2021 09:59:48 +1000 Subject: =?UTF-8?Q?Re=3a_error=3a_redefinition_of_=e2=80=98struct_rsa=5fmeth?= =?UTF-8?B?X3N04oCZ?= In-Reply-To: References: Message-ID: You shouldn't be accessing the internal of a private structure. That structure was made private for a reason and duplicating it in your engine will break when we change the structure's contents. Your engine should be using the EVP_PKEY_meth_set_* function to do what you want (for 1.1.1).? For 3.0, you should be writing a provider instead. Pauli On 12/4/21 5:04 am, Shariful Alam wrote: > Hello, > Hope you guys are doing well. I'm trying to develop an RSA engine. My > engine was somewhat working until?I try to integrate my engine with an > apache httpd server. After installing the httpd from the source code, > it turns out that, I can't compile my engine anymore. I get the > following?error while I try to compile (it was compiling before and I > did not make any changes to my engine code). > > ============================== > > *$gcc -fPIC -c r_engine.c* > *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? > ?struct rsa_meth_st { > ? ? ? ? ^ > In file included from /usr/include/openssl/crypto.h:131:0, > ? ? ? ? ? ? ? ? ?from r_engine.c:7: > /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > ?typedef struct rsa_meth_st RSA_METHOD;* > > ============================= > > and my *struct rsa_meth_st *looks like the following, > > ================================================================================ > > *struct rsa_meth_st { > > ? ? const char *name; > ? ? int (*rsa_pub_enc) (int flen, const unsigned char *from, unsigned > char *to, RSA *rsa, int padding); > ? ? int (*rsa_pub_dec) (int flen, const unsigned char *from, unsigned > char *to, RSA *rsa, int padding); > ? ? int (*rsa_priv_enc) (int flen, const unsigned char *from, unsigned > char *to, RSA *rsa, int padding); > ? ? int (*rsa_priv_dec) (int flen, const unsigned char *from, unsigned > char *to, RSA *rsa, int padding); > > ? ? int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX > *ctx); > > ? ? int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, > const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > > ? ? int (*init) (RSA *rsa); > > ? ? int (*finish) (RSA *rsa); > > ? ? int flags; > > ? ? char *app_data; > > ? ? int (*rsa_sign) (int type, const unsigned char *m, unsigned int > m_length, unsigned char *sigret, unsigned int *siglen, const RSA *rsa); > > ? ? int (*rsa_verify) (int dtype, const unsigned char *m, unsigned int > m_length, const unsigned char *sigbuf, unsigned int siglen, const RSA > *rsa); > > ? ? int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); > > }; > * > > ================================================================================= > > My sample skeleton code is here https://pastebin.com/uNXYknEA > > > Can anyone please tell me what I'm I doing wrong? > > Regards, > Shariful Alam -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Mon Apr 12 04:06:07 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Mon, 12 Apr 2021 14:06:07 +1000 Subject: EVP_MAC_init() in 3.0 alpha 13 In-Reply-To: <20210405125135.74ED3406061@ip-64-139-1-69.sjc.megapath.net> References: <20210405125135.74ED3406061@ip-64-139-1-69.sjc.megapath.net> Message-ID: Did you attempt to pass NULL for the key and zero for it's length to the EVP_MAC_init() call? Pauli On 5/4/21 10:51 pm, Hal Murray wrote: > It used to take just a ctx. Now it also wants a key+length and a params. > > I have some simple/hack code to time 2 cases. The first gives it the key each > time. The second preloads the key. That would require an evp per key, but I > might we willing to make that space/time tradeoff. > > The each time mode of my old code put the cipher and key into a params array, > then called > EVP_MAC_CTX_set_params(ctx, params) and then > EVP_MAC_init(ctx) > That's easy to change. I just drop putting the key into a params slot and > drop calling set_parms and add the key and parms to EVP_MAC_init. That worked. > > Is there a way to use a preloaded key? I tried using NULL for key and params > when calling EVP_MAC_init. It compiles and runs but doesn't get the right > answer. Is that, or something like it supposed to work? > > -------- > > EVP_MAC_CTX_set_params() seems ugly to me. > > My inner loop looks like: > EVP_MAC_CTX_set_params() > EVP_MAC_init() > EVP_MAC_update() > EVP_MAC_final() > > I'm trying to make things go fast. It's going to have to do string compares > to figure out what I want to do. I'm working with small blocks of data (48 > bytes) so the setup cost is important. Or I think it is, so I'm trying to > measure it. > > The case I'm trying to get working is to move the EVP_MAC_CTX_set_params() out > of the loop. > From Sunil.Paramashivaiah at rbbn.com Mon Apr 12 04:24:32 2021 From: Sunil.Paramashivaiah at rbbn.com (Paramashivaiah, Sunil) Date: Mon, 12 Apr 2021 04:24:32 +0000 Subject: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY Message-ID: Hi All, While migrating from 1.0.2 to 3.0, we are replacing deprecated APIs "RSA_public_encrypt" and "RSA_public_decrypt" with "EVP_PKEY_encrypt" and "EVP_PKEY_decrypt". In 1.0.2, "RSA_public_encrypt" and "RSA_public_decrypt" were taking RSA public key as parameter created using "PEM_read_bio_RSA_PUBKEY" and "PEM_read_bio_RSAPublicKey" where the public key was encoded using a SubjectPublicKeyInfo structure and PKCS#1 RSAPublicKey structure respectively. In 3.0, I replaced "PEM_read_bio_RSA_PUBKEY" with "PEM_read_bio_PUBKEY" to get EVP_PKEY for creating EVP ctx(EVP_PKEY_CTX_new) to use in "EVP_PKEY_encrypt" and "EVP_PKEY_decrypt". But, I couldn't find equivallent API to replace "PEM_read_bio_RSAPublicKey" to get EVP_PKEY for creating EVP ctx(EVP_PKEY_CTX_new) to use in "EVP_PKEY_encrypt" and "EVP_PKEY_decrypt". Please suggest me an API(replacement for PEM_read_bio_RSAPublicKey) to use to get EVP_PKEY for public key encoded using PKCS#1 RSAPublicKey structure. Thanks and Regards, Sunil Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ozdemird at tcd.ie Mon Apr 12 08:57:44 2021 From: ozdemird at tcd.ie (Danis Ozdemir) Date: Mon, 12 Apr 2021 09:57:44 +0100 Subject: Fwd: Question about RSA key access mechanism In-Reply-To: References: Message-ID: Hi all, I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity College (Ireland) and I'm studying computer security. I'm trying to reproduce the meltdown attack as an effort to dive deep into the known attack types with some specific scenarios and "trying to see whether Meltdown could have been used against a web server making use of openssl libraries, running on an old, non-patched Linux kernel" is one of them. *Please notice that the intentions are purely academic here, rather than performing a real attack.* Before investigating a more realistic scenario, I started with an 'open box' approach in which the openssl server process reveals the addresses of the sub fields of its private key (The private key and the certificate used below were created using the command 'openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout priv.pem -out cert.pem', so they are RSA based. And I just used good, old printf in the function "ssl_set_pkey" in the file "ssl/ssl_rsa.c"): # *LD_LIBRARY_PATH=${PWD} ./apps/openssl s_server -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www* Could not read params of DH parameters from my_keys/cert.pem Using default temp DH parameters *DANIS - ssl_set_pkey - c->pkeys[0].privatekey : 0x55e4f9f01670 - 144Danis - ssl_set_pkey - pkey->keydata->n : 0x55e4f9f13d50Danis - ssl_set_pkey - pkey->keydata->e : 0x55e4f9f131e0Danis - ssl_set_pkey - pkey->keydata->d : 0x55e4f9f05790Danis - ssl_set_pkey - pkey->keydata->p : 0x55e4f9f05670Danis - ssl_set_pkey - pkey->keydata->q : 0x55e4f9f058b0Danis - ssl_set_pkey - pkey->keydata->dmp1 : 0x55e4f9f18850Danis - ssl_set_pkey - pkey->keydata->dmq1 : 0x55e4f9f13800Danis - ssl_set_pkey - pkey->keydata->iqmp : 0x55e4f9f13820* ACCEPT Once the server is up and running, I get the real address of the sub field p using gdb: # *ps -ef | grep -v grep | grep openssl* adminq *1421* 1280 0 16:55 pts/1 00:00:00 ./apps/openssl s_server -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www # *gdb* GNU gdb (Debian 8.2.1-2+b3) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". (gdb) *attach 1421* Attaching to process 1421 Reading symbols from /home/adminq/Workspace/openssl/apps/openssl...(no debugging symbols found)...done. Reading symbols from /home/adminq/Workspace/openssl/libssl.so.3...(no debugging symbols found)...done. Reading symbols from /home/adminq/Workspace/openssl/libcrypto.so.3...(no debugging symbols found)...done. Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/.build-id/d3/583c742dd47aaa860c5ae0c0c5bdbcd2d54f61.debug...done. done. Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/.build-id/e9/1114987a0147bd050addbd591eb8994b29f4b3.debug...done. done. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/.build-id/18/b9a9a8c523e5cfe5b5d946d605d09242f09798.debug...done. done. Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/f2/5dfd7b95be4ba386fd71080accae8c0732b711.debug...done. done. 0x00007efd06acd631 in __libc_accept (fd=4, addr=..., len=0x7ffca292907c) at ../sysdeps/unix/sysv/linux/accept.c:26 26 ../sysdeps/unix/sysv/linux/accept.c: No such file or directory. (gdb) *x/6x 0x55e4f9f05670* 0x55e4f9f05670: *0xf9f06b70 0x000055e4* *0x00000010* 0x00000010 0x55e4f9f05680: 0x00000000 0x0000000d (gdb) *watch * (unsigned long *) 0x55e4f9f06b70* Hardware watchpoint 1: * (unsigned long *) 0x55e4f9f06b70 (gdb) c Continuing. So, this output tells me that the content of p starts from the address *0x55e4f9f06b70* and it's length is 16*sizeof(unsigned long) bytes as p is of type bignum_st which has the following layout: *struct bignum_st {* * BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit* * * chunks. */* * int top; /* Index of last used d +1. */* * /* The next are internal book keeping for bn_expand. */* * int dmax; /* Size of the d array. */* * int neg; /* one if the number is negative */* * int flags;* *};* When I define a watchpoint for that address to verify that it has been accessed when a new client connects to the server and make the server continue, I can't see a hit which means this address hasn't been accessed. *I'm attaching the s_client output as a file, since it's longer compared to the outputs above.* I then dumped the whole non-executable pages that were allocated for this process using ptrace to see whether another copy of the key was present and I couldn't find any copies. So, either I'm doing something wrong (which is the case, most probably) or there's another area which contains another representation of the key for security reasons (given the fact that the raw key content is accessible in the RAM, this one seems less likely). Therefore, assuming I'm doing something wrong, if you could tell me what it is, I'd be grateful. Best regards, Danis Ozdemir -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- echo -n "GET / HTTP/1.0\r\n" | LD_LIBRARY_PATH=${PWD} ./apps/openssl s_client -connect localhost:54321 CONNECTED(00000004) Can't use SSL_get_servername depth=0 C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org verify error:num=18:self-signed certificate verify return:1 depth=0 C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org verify return:1 --- Certificate chain 0 s:C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org i:C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 28 21:32:12 2021 GMT; NotAfter: Dec 23 21:32:12 2023 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDqzCCApOgAwIBAgIURNumBsiWD33EpGvCJoxdeetqxAswDQYJKoZIhvcNAQEL BQAwZTELMAkGA1UEBhMCSUUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVcmVwcm9kdWNlbWVs dGRvd24ub3JnMB4XDTIxMDMyODIxMzIxMloXDTIzMTIyMzIxMzIxMlowZTELMAkG A1UEBhMCSUUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDEeMBwGA1UEAwwVcmVwcm9kdWNlbWVsdGRvd24ub3Jn MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoN5QELRefDLrPQJrzhwm +n6R/pTITp3u3Q+bgf7peNt+0HO/iOqJGMiJ9fBl6fGq+4QOwKZ8TUe9Rf5S2d0F 78PCiO76dmppyWeZ7C0TDKzWx8EK0rAT+adx4IKP0L7b6aXOTZCy1Igf+FIAlSv7 fysmMx35PFc+qnWNVQ7NG/h+JgHf2GvE5c7yvxtf/0fCRc8yT8qcygrCCS/T3TZM 69JLoqLNsaZIVJWMfB/BToQd7EOM77Ts2qSAFAUjkM5vAU1ToGg1+dd3Ifu9Bh5p GorZX+SBnSmOO6yFy5INgd9gH5W41yoOFHiZGYS2T7wgL/aWbKFsVXckiTf0F+Wu vQIDAQABo1MwUTAdBgNVHQ4EFgQU7eD7oTB6h8BMRFG7INkv6zlag7AwHwYDVR0j BBgwFoAU7eD7oTB6h8BMRFG7INkv6zlag7AwDwYDVR0TAQH/BAUwAwEB/zANBgkq hkiG9w0BAQsFAAOCAQEAMLrbSK4HcDDt14fRnvKdoID30BCmAnGrJxDU2hGXdxeC rl5Qbx9d+AtBoVEJi0eB45WnaY700ZBlhZq6O2t98OQgC6sE1keIsP0lEbQRfSkZ FPYtPE1fZza3BekQxVfmFab5WU5pR/35TTCHj8frARHejk1gh7jnG25iZCYk1igh CooUDLaw2TSdn/3z33yWiLl7TQp4x6Ee72rkAW+PCUFV7Je+mWRkLIX1WgJASA0t kn5TM3epPv61RdIFotDvWbkJwFsjHi0u5A/GvxnBOYjhzgJVIF59DcPqKYAheNsy FBIiEphsHMeXZL3RmuzPeNL9E0hBaYGzCdD++MV7zQ== -----END CERTIFICATE----- subject=C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org issuer=C = IE, ST = Some-State, O = Internet Widgits Pty Ltd, CN = reproducemeltdown.org --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1499 bytes and written 377 bytes Verification error: self-signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self-signed certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 47FFCE934A50DBE3FBA670BB4FBE8EB180D8C3728B99613E4A1FD4A96A199E15 Session-ID-ctx: Resumption PSK: 8707B96581DAF33C21A39F8216F83062CE976BCC7CFE1E69702668BB784C2EF961114B81CD758E3A2B6313679DCCEB84 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - a0 16 0b 29 58 fb 34 83-62 88 76 77 f2 de d4 dd ...)X.4.b.vw.... 0010 - 9d ce a3 59 0e e2 4c c8-a7 54 fc 71 8c ea 21 cf ...Y..L..T.q..!. 0020 - 18 6c 60 ed 38 cc 3e cc-47 7a d1 cc 7c f2 19 80 .l`.8.>.Gz..|... 0030 - 20 85 fb d2 85 e3 22 f7-97 27 76 9f 47 a9 1c cd ....."..'v.G... 0040 - f1 b0 ac f4 58 2f cd ec-12 57 86 bc 77 f2 63 af ....X/...W..w.c. 0050 - 97 f2 7d 92 41 17 29 e0-37 23 0d 49 d1 6d 0f b9 ..}.A.).7#.I.m.. 0060 - b4 7d d1 61 79 04 25 50-1b a4 f4 e5 b2 e0 d7 7b .}.ay.%P.......{ 0070 - 2a d0 17 59 fa 0c 28 67-31 26 a4 29 0a 2d 01 7d *..Y..(g1&.).-.} 0080 - 39 28 8c 73 7f 64 48 d9-39 b6 f8 8c 56 6a fc 48 9(.s.dH.9...Vj.H 0090 - ca f7 54 f5 76 d4 16 87-2a 07 89 c3 10 de e1 ff ..T.v...*....... 00a0 - fe 7b 9c 89 71 da c2 16-11 8a 58 dd 0f 83 0f bf .{..q.....X..... 00b0 - b8 a6 26 76 3f e8 c0 b3-98 08 16 99 6a d5 de 17 ..&v?.......j... Start Time: 1618156631 Timeout : 7200 (sec) Verify return code: 18 (self-signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 0E84FCD59606B36F71358DF304AC7C57BCDA93F80F8F816220FACD45EFA3027E Session-ID-ctx: Resumption PSK: 3F2EA2506F0EDC88C83BD658B1B4B0B8B51E3FCCD46B7A6A97E4B1630FE768CE7AE02D0EC7E125DDF803A17C74190237 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - a0 16 0b 29 58 fb 34 83-62 88 76 77 f2 de d4 dd ...)X.4.b.vw.... 0010 - 6b 68 1e 9f 3e 80 d5 83-47 3a 01 cf ea 6c 50 44 kh..>...G:...lPD 0020 - 1d 6a a7 71 b5 1b 55 fa-72 92 89 79 00 a3 a9 b4 .j.q..U.r..y.... 0030 - 05 8e be a2 f6 0d 2e 4a-3b 5e 08 3f 4d d2 83 1a .......J;^.?M... 0040 - a9 5e 50 60 fa 03 ee a0-5d fa 34 20 03 93 25 5d .^P`....].4 ..%] 0050 - 53 ed 82 ca ae cb 44 92-53 fe 51 8a da 5f d8 7b S.....D.S.Q.._.{ 0060 - 35 84 2e d9 68 14 6d e7-67 e8 79 1d 9a 1d 99 d8 5...h.m.g.y..... 0070 - 0f 6d 51 fb cd 01 f4 74-53 67 ac ed 36 96 a3 e6 .mQ....tSg..6... 0080 - e8 14 1c e0 08 55 f3 9e-01 d6 74 aa ff df f3 35 .....U....t....5 0090 - 30 40 7d c1 5f 16 14 d2-76 bc 6b 8c 38 c9 39 12 0@}._...v.k.8.9. 00a0 - df b7 46 ed 76 42 3b 74-53 d7 b1 aa 24 19 77 f1 ..F.vB;tS...$.w. 00b0 - a1 8f 2f 17 73 03 cf bc-5c a4 2c 42 17 cd 1e 8c ../.s...\.,B.... 00c0 - bf 2e 1b 2b 0a 85 05 68-76 44 e8 74 c9 95 16 c7 ...+...hvD.t.... Start Time: 1618156631 Timeout : 7200 (sec) Verify return code: 18 (self-signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK DONE From michal.moravec at logicworks.cz Mon Apr 12 12:13:22 2021 From: michal.moravec at logicworks.cz (Michal Moravec) Date: Mon, 12 Apr 2021 12:13:22 +0000 Subject: PKCS7_decrypt vs RSA OAEP padding Message-ID: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> Hello, I am a system administrator trying to integrate two pieces of software using the SCEP protocol (more on that later in the More Context section) . Integration was working but one side (SaaS product) changed the algorithms it uses for signing and encryption within the PKCS7 message. After that I am unable to decrypt the PKCS7 messages on my end and get the error: "ERROR 139701710696896:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:597: message_static_functions.c:221: decryption failed" >From my current state of investigation it looks highly likely there is a problem with PKCS7_decrypt method which might be unable decrypt the PKCS7/CMS payload if the RSA is used together with OAEP padding. 1. What is a diffrences between pkcs7 https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7 and CMS https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/cms implementations? If I understand correctly CMS is just newer name for PKCS7 adopted by newer RFCs? Do these two implementations overlap? Or are there some kind of major diffrence like PKCS7 module being there for compatibility with older code and CMS is basically replacement to use for the future? 2. Is PKCS7_decrypt method in https://github.com/openssl/openssl/blob/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7/pk7_smime.c capable of decrypting the PKCS7 payload whebf OAEP padding is used together with RSA to encrypt it? If it is indeed not capable of doing that would it be a bug or desired behavior? If found a few pointers: - https://stackoverflow.com/questions/56941480/how-to-set-padding-oaep-for-pkcs7-decrypt-function-using-openssl <- Developer is unable to use PKCS7_decrypt with RSA OAEP and forced to switch to CMS_decrypt method. - https://stackoverflow.com/questions/34304570/how-to-resolve-the-evp-decryptfinal-ex-bad-decrypt-during-file-decryption <- Padding being a source problem of EVP_DecryptFinal_ex:bad decrypt error message. 3. How to replace PKCS7_decrypt method CMS_decrypt as easily as possible? I have no hard proof of the PKCS7_decrypt being the culprit here so I started working on simple C program to reproduce the issue. Problem is my C skills are very rusty and I have no experience working with OpenSSL C library. int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags); int CMS_decrypt (CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont, BIO *out, unsigned int flags); Methods are very similiar but input data format it different. It there an easyway to convert PKCS7 struct into CMS_ContentInfo struct? Original usage of PKCS7_decrypt here -> https://github.com/openxpki/libscep/blob/4067eae283ce0b3025d414e9d3b6af30def8c093/src/message_static_functions.c # More Context My goal is to obtain signed client certificate using the SCEP protocol. SCEP server: OpenXPKI https://github.com/openxpki/openxpki (Perl) with libscep https://github.com/openxpki/libscep library (C). libscep used the OpenSSL. SCEP client: VMware Workspace ONE UEM SaaS (WSO). Black box. From the error codes client produces I strongly suspect they use OpenSSL within .Net code. Originally WSO SCEP client used these three algorithms for PKCS7 operation: SHA-1, RSA (PKCS 1.5 padding or no padding <- can't tell which) and 3DES-CBC. They made some sort of change (unannouced) and since the last SaaS upgdate WSO client uses SHA-2 (256bit), RSA with OAEP padding and AES-256-CBC. Compare the attached PKCS7 messages (libscep_wso*.p7b). I use https://lapo.it/asn1js to decode them easily. After the change I am unable to decrypt the PKIOperation message on the server side. I suspect the RSA with OAEP is the cause of the problem because using different client with SHA-256, AES-256-CBC and RSA decryption works without any problem (libscep_sscep_ok.p7b). Best Regards, Michal Moravec -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: libscep_wso_after_broken.p7b Type: application/octet-stream Size: 4104 bytes Desc: libscep_wso_after_broken.p7b URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: libscep_wso_before_ok.p7b Type: application/octet-stream Size: 4124 bytes Desc: libscep_wso_before_ok.p7b URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: libscep_sscep_ok.p7b Type: application/octet-stream Size: 3950 bytes Desc: libscep_sscep_ok.p7b URL: From hmurray at megapathdsl.net Mon Apr 12 12:48:57 2021 From: hmurray at megapathdsl.net (Hal Murray) Date: Mon, 12 Apr 2021 05:48:57 -0700 Subject: EVP_MAC_init() in 3.0 alpha 13 In-Reply-To: Message from Dr Paul Dale of "Mon, 12 Apr 2021 14:06:07 +1000." Message-ID: <20210412124857.623AB40605C@ip-64-139-1-69.sjc.megapath.net> > Did you attempt to pass NULL for the key and zero for it's length to the > EVP_MAC_init() call? Yes. We can do better. If we have to use dup/free, we can move the EVP_MAC_init() to before the dup, out of the timing path. My model is that initialization is 2 parts. The first is turning the key into a big table. The second is initializing a small amount of state that is whatever is needed/updated by EVP_MAC_update(). I was hoping that EVP_MAC_init() with NULL key would bypass the first step and do the second. If the second step involves a lot of computation we get into the space/time tradeoff of computing it during step one and saving it in case EVP_MAC_init is called with NULL key. If there was a copy operation we could use it instead of dup/free. Where is the code that does the key setup? I expect it will be obvious after I see it, but I don't know my way around that linkage yet. I'm using the default AES-128-CBC. --------- I don't think I've said it explicitly, but thanks for the change to the API for EVP_MAC_init() ---------- Should PKEY be a potentially interesting approach for something like this? I think it was suggested months ago. One advantage is that the code works with 1.1.1. It's horribly slow in 3.0 alpha14: 0.777 CMAC 7.533 PKEY 3.323 PKEY preload 0.392 EVP_MAC 0.308 EVP_MAC Preload with dup+free 0.102 EVP_MAC Preload (no dup, wrong answer) 1.1.1k: 0.285 CMAC 0.550 PKEY 0.196 PKEY preload -- These are my opinions. I hate spam. From tomas at openssl.org Mon Apr 12 13:05:37 2021 From: tomas at openssl.org (Tomas Mraz) Date: Mon, 12 Apr 2021 15:05:37 +0200 Subject: EVP_MAC_init() in 3.0 alpha 13 In-Reply-To: <20210412124857.623AB40605C@ip-64-139-1-69.sjc.megapath.net> References: <20210412124857.623AB40605C@ip-64-139-1-69.sjc.megapath.net> Message-ID: <348b006ceb83fd4301438cbb0c57b473a4f4ef23.camel@openssl.org> On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote: > > Did you attempt to pass NULL for the key and zero for it's length > > to the > > EVP_MAC_init() call? > > Yes. > > We can do better. If we have to use dup/free, we can move the > EVP_MAC_init() > to before the dup, out of the timing path. > > My model is that initialization is 2 parts. The first is turning the > key into > a big table. The second is initializing a small amount of state that > is > whatever is needed/updated by EVP_MAC_update(). > > I was hoping that EVP_MAC_init() with NULL key would bypass the first > step and > do the second. We would have to introduce the special semantics similar to EVP_CipherInit() with EVP_MAC_init(). I.e., that the EVP_CipherInit() with NULL key keeps the key schedule from the previous initialization. > If the second step involves a lot of computation we get into the > space/time > tradeoff of computing it during step one and saving it in case > EVP_MAC_init is > called with NULL key. > > If there was a copy operation we could use it instead of dup/free. I do not think we want to introduce the copy operation. We are trying to get out of the copy() pattern as it is much harder to handle correctly than the dup(). > Where is the code that does the key setup? I expect it will be > obvious after > I see it, but I don't know my way around that linkage yet. I'm using > the > default AES-128-CBC. > > --------- > > I don't think I've said it explicitly, but thanks for the change to > the API > for EVP_MAC_init() > > ---------- > > Should PKEY be a potentially interesting approach for something like > this? I > think it was suggested months ago. One advantage is that the code > works with > 1.1.1. > > It's horribly slow in 3.0 > > alpha14: > 0.777 CMAC > 7.533 PKEY > 3.323 PKEY preload > 0.392 EVP_MAC > 0.308 EVP_MAC Preload with dup+free > 0.102 EVP_MAC Preload (no dup, wrong answer) > > 1.1.1k: > 0.285 CMAC > 0.550 PKEY > 0.196 PKEY preload > > > -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From dipto181 at gmail.com Mon Apr 12 16:32:32 2021 From: dipto181 at gmail.com (Shariful Alam) Date: Mon, 12 Apr 2021 10:32:32 -0600 Subject: =?UTF-8?B?UmU6IGVycm9yOiByZWRlZmluaXRpb24gb2Yg4oCYc3RydWN0IHJzYV9tZXRoX3N04oCZ?= In-Reply-To: References: Message-ID: Dr. Pauli, Goodmorning. Thank you for replying. I found the documentation a bit difficult for me to understand. I was wondering if you can direct me to a sample skeleton code for creating a custom RSA engine. Regards, Shariful Alam On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale wrote: > You shouldn't be accessing the internal of a private structure. That > structure was made private for a reason and duplicating it in your engine > will break when we change the structure's contents. > > Your engine should be using the EVP_PKEY_meth_set_* function to do what > you want (for 1.1.1). For 3.0, you should be writing a provider instead. > > > Pauli > > On 12/4/21 5:04 am, Shariful Alam wrote: > > Hello, > Hope you guys are doing well. I'm trying to develop an RSA engine. My > engine was somewhat working until I try to integrate my engine with an > apache httpd server. After installing the httpd from the source code, it > turns out that, I can't compile my engine anymore. I get the > following error while I try to compile (it was compiling before and I did > not make any changes to my engine code). > > ============================== > > *$gcc -fPIC -c r_engine.c* > > > > > > > *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? struct > rsa_meth_st { ^ In file included from > /usr/include/openssl/crypto.h:131:0, from r_engine.c:7: > /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > typedef struct rsa_meth_st RSA_METHOD;* > > ============================= > > and my *struct rsa_meth_st *looks like the following, > > > ================================================================================ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *struct rsa_meth_st { const char *name; int (*rsa_pub_enc) (int > flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); > int (*rsa_pub_dec) (int flen, const unsigned char *from, unsigned char > *to, RSA *rsa, int padding); int (*rsa_priv_enc) (int flen, const > unsigned char *from, unsigned char *to, RSA *rsa, int padding); int > (*rsa_priv_dec) (int flen, const unsigned char *from, unsigned char *to, > RSA *rsa, int padding); int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM > *I, RSA *rsa, BN_CTX *ctx); int (*bn_mod_exp) (BIGNUM *r, const BIGNUM > *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > int (*init) (RSA *rsa); int (*finish) (RSA *rsa); int flags; > char *app_data; int (*rsa_sign) (int type, const unsigned char *m, > unsigned int m_length, unsigned char *sigret, unsigned int *siglen, const > RSA *rsa); int (*rsa_verify) (int dtype, const unsigned char *m, > unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, > const RSA *rsa); int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, > BN_GENCB *cb); }; * > > > ================================================================================= > > My sample skeleton code is here https://pastebin.com/uNXYknEA > > Can anyone please tell me what I'm I doing wrong? > > Regards, > Shariful Alam > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Mon Apr 12 16:34:51 2021 From: levitte at openssl.org (Richard Levitte) Date: Mon, 12 Apr 2021 18:34:51 +0200 Subject: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY In-Reply-To: References: Message-ID: <87h7kba2c4.wl-levitte@openssl.org> On Mon, 12 Apr 2021 06:24:32 +0200, Paramashivaiah, Sunil wrote: > > But, I couldn't find equivallent API to replace "PEM_read_bio_RSAPublicKey" to get EVP_PKEY for > creating EVP ctx(EVP_PKEY_CTX_new) to use in "EVP_PKEY_encrypt" and "EVP_PKEY_decrypt". I believe that one of these functions would help you: EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e); EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_pkey(OSSL_LIB_CTX *libctx, EVP_PKEY *pkey, const char *propquery); Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From matt at openssl.org Mon Apr 12 16:42:20 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 12 Apr 2021 17:42:20 +0100 Subject: =?UTF-8?Q?Re=3a_error=3a_redefinition_of_=e2=80=98struct_rsa=5fmeth?= =?UTF-8?B?X3N04oCZ?= In-Reply-To: References: Message-ID: You can look at the dummy async engine which wraps the standard RSA functions inside an engine (as well as various other crypto primitives). You can see it here: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/engines/e_dasync.c Matt On 12/04/2021 17:32, Shariful Alam wrote: > Dr. Pauli, > Goodmorning. Thank you for replying. I found the documentation a bit > difficult for me to understand. I was wondering if you can direct me to > a sample skeleton code for creating a custom RSA engine. > > Regards, > Shariful Alam > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > wrote: > > You shouldn't be accessing the internal of a private structure. That > structure was made private for a reason and duplicating it in your > engine will break when we change the structure's contents. > > Your engine should be using the EVP_PKEY_meth_set_* function to do > what you want (for 1.1.1).? For 3.0, you should be writing a > provider instead. > > > Pauli > > On 12/4/21 5:04 am, Shariful Alam wrote: >> Hello, >> Hope you guys are doing well. I'm trying to develop an RSA engine. >> My engine was somewhat working until?I try to integrate my engine >> with an apache httpd server. After installing the httpd from the >> source code, it turns out that, I can't compile my engine anymore. >> I get the following?error while I try to compile (it was compiling >> before and I did not make any changes to my engine code). >> >> ============================== >> >> *$gcc -fPIC -c r_engine.c* >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? >> ?struct rsa_meth_st { >> ? ? ? ? ^ >> In file included from /usr/include/openssl/crypto.h:131:0, >> ? ? ? ? ? ? ? ? ?from r_engine.c:7: >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here >> ?typedef struct rsa_meth_st RSA_METHOD;* >> >> ============================= >> >> and my *struct rsa_meth_st *looks like the following, >> >> ================================================================================ >> >> *struct rsa_meth_st { >> >> ? ? const char *name; >> ? ? int (*rsa_pub_enc) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> ? ? int (*rsa_pub_dec) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> ? ? int (*rsa_priv_enc) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> ? ? int (*rsa_priv_dec) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> >> ? ? int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, >> BN_CTX *ctx); >> >> ? ? int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); >> >> ? ? int (*init) (RSA *rsa); >> >> ? ? int (*finish) (RSA *rsa); >> >> ? ? int flags; >> >> ? ? char *app_data; >> >> ? ? int (*rsa_sign) (int type, const unsigned char *m, unsigned >> int m_length, unsigned char *sigret, unsigned int *siglen, const >> RSA *rsa); >> >> ? ? int (*rsa_verify) (int dtype, const unsigned char *m, unsigned >> int m_length, const unsigned char *sigbuf, unsigned int siglen, >> const RSA *rsa); >> >> ? ? int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); >> >> }; >> * >> >> ================================================================================= >> >> My sample skeleton code is here https://pastebin.com/uNXYknEA >> >> >> Can anyone please tell me what I'm I doing wrong? >> >> Regards, >> Shariful Alam > From uri at ll.mit.edu Mon Apr 12 17:06:15 2021 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 12 Apr 2021 17:06:15 +0000 Subject: =?utf-8?B?UmU6IGVycm9yOiByZWRlZmluaXRpb24gb2Yg4oCYc3RydWN0IHJzYV9tZXRo?= =?utf-8?B?X3N04oCZ?= In-Reply-To: References: Message-ID: Is there an analog of the "dummy async engine" for the OpenSSL-3.0 Provider? TNX -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare ?On 4/12/21, 12:43, "openssl-users on behalf of Matt Caswell" wrote: You can look at the dummy async engine which wraps the standard RSA functions inside an engine (as well as various other crypto primitives). You can see it here: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/engines/e_dasync.c Matt On 12/04/2021 17:32, Shariful Alam wrote: > Dr. Pauli, > Goodmorning. Thank you for replying. I found the documentation a bit > difficult for me to understand. I was wondering if you can direct me to > a sample skeleton code for creating a custom RSA engine. > > Regards, > Shariful Alam > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > wrote: > > You shouldn't be accessing the internal of a private structure. That > structure was made private for a reason and duplicating it in your > engine will break when we change the structure's contents. > > Your engine should be using the EVP_PKEY_meth_set_* function to do > what you want (for 1.1.1). For 3.0, you should be writing a > provider instead. > > > Pauli > > On 12/4/21 5:04 am, Shariful Alam wrote: >> Hello, >> Hope you guys are doing well. I'm trying to develop an RSA engine. >> My engine was somewhat working until I try to integrate my engine >> with an apache httpd server. After installing the httpd from the >> source code, it turns out that, I can't compile my engine anymore. >> I get the following error while I try to compile (it was compiling >> before and I did not make any changes to my engine code). >> >> ============================== >> >> *$gcc -fPIC -c r_engine.c* >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? >> struct rsa_meth_st { >> ^ >> In file included from /usr/include/openssl/crypto.h:131:0, >> from r_engine.c:7: >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here >> typedef struct rsa_meth_st RSA_METHOD;* >> >> ============================= >> >> and my *struct rsa_meth_st *looks like the following, >> >> ================================================================================ >> >> *struct rsa_meth_st { >> >> const char *name; >> int (*rsa_pub_enc) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> int (*rsa_pub_dec) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> int (*rsa_priv_enc) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> int (*rsa_priv_dec) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> >> int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, >> BN_CTX *ctx); >> >> int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); >> >> int (*init) (RSA *rsa); >> >> int (*finish) (RSA *rsa); >> >> int flags; >> >> char *app_data; >> >> int (*rsa_sign) (int type, const unsigned char *m, unsigned >> int m_length, unsigned char *sigret, unsigned int *siglen, const >> RSA *rsa); >> >> int (*rsa_verify) (int dtype, const unsigned char *m, unsigned >> int m_length, const unsigned char *sigbuf, unsigned int siglen, >> const RSA *rsa); >> >> int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); >> >> }; >> * >> >> ================================================================================= >> >> My sample skeleton code is here https://pastebin.com/uNXYknEA >> >> >> Can anyone please tell me what I'm I doing wrong? >> >> Regards, >> Shariful Alam > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: From lear at ofcourseimright.com Mon Apr 12 17:24:42 2021 From: lear at ofcourseimright.com (Eliot Lear) Date: Mon, 12 Apr 2021 19:24:42 +0200 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> Message-ID: Hi Michal, CMS has limited backward compatibility with PKCS#7.? This is discussed in RFC 5652 , and includes some suggestions as to how to some issues that might crop up.?? At least the old draft of SCEP very specifically does NOT specify CMS, but that might not have stopped someone from using it.? These docs tend to be quite sloppy.? For example, I know one that uses both PEM and DER encodings on the wire.? Drives me batty. For enrolment this is particularly embarrassing, considering its sensitivity.? As a sysadmin, you might try wrapping this stuff in PHP and just trying both the pkcs_decrypt and cms_decrypt calls and seeing if either work. Eliot On 12.04.21 14:13, Michal Moravec wrote: > Hello, > > I am a system administrator trying to integrate two pieces of software > using the SCEP protocol (more on that later in the More Context section) . > Integration was working but one side (SaaS product) changed the > algorithms it uses for signing and encryption within the PKCS7 message. > After that I am unable to decrypt the PKCS7 messages on my end and get > the error: "ERROR 139701710696896:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:597: > message_static_functions.c:221: decryption failed" > > From my current state of investigation it looks highly likely there is > a problem with?PKCS7_decrypt method which might be unable decrypt the > PKCS7/CMS payload if the RSA is used together with?OAEP padding. > > 1. What is a diffrences between pkcs7 > https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7 > ?and > CMS > https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/cms > ?implementations? > > If I understand correctly CMS is just newer name for PKCS7 adopted by > newer RFCs? > Do these two implementations overlap? > Or are there some kind of major diffrence like PKCS7 module being > there for compatibility with older code and CMS is basically > replacement to use for the future? > > 2. Is PKCS7_decrypt method in > https://github.com/openssl/openssl/blob/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7/pk7_smime.c > ?capable > of decrypting the PKCS7 payload whebf OAEP padding is used together > with RSA to encrypt it? If it is indeed not capable of doing that > would it be a bug or desired behavior? > > If found a few pointers: > > - > https://stackoverflow.com/questions/56941480/how-to-set-padding-oaep-for-pkcs7-decrypt-function-using-openssl > ?<- > Developer is unable to use PKCS7_decrypt with RSA OAEP and forced to > switch to?CMS_decrypt method. > - > https://stackoverflow.com/questions/34304570/how-to-resolve-the-evp-decryptfinal-ex-bad-decrypt-during-file-decryption > ?<- > Padding being a source problem of EVP_DecryptFinal_ex:bad decrypt > error message. > > 3. How to replace PKCS7_decrypt method CMS_decrypt as easily as possible? > > I have no hard proof of the PKCS7_decrypt being the culprit here so I > started working on simple C program to reproduce the issue. > Problem is my C skills are very rusty and I have no experience working > with OpenSSL C library. > >> int PKCS7_decrypt(PKCS7 *p7, ?EVP_PKEY *pkey, X509 *cert, BIO *data, >> ? ? ? ? ? ? ?int flags); >> int CMS_decrypt ? ?(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, >> BIO *dcont, BIO *out, unsigned int flags); > > Methods are very similiar but input data format it different. It there > an easyway to convert?PKCS7 struct into CMS_ContentInfo struct? > > Original usage of PKCS7_decrypt here -> > https://github.com/openxpki/libscep/blob/4067eae283ce0b3025d414e9d3b6af30def8c093/src/message_static_functions.c > > > > > # More Context > > My goal is to obtain signed client certificate using the SCEP protocol. > > SCEP server: OpenXPKI https://github.com/openxpki/openxpki > ?(Perl) with libscep > https://github.com/openxpki/libscep > ?library (C). libscep used the > OpenSSL. > SCEP client: VMware Workspace ONE UEM SaaS (WSO). Black box. From the > error codes client produces I strongly suspect they use OpenSSL within > .Net code. > > Originally WSO SCEP client used these three algorithms for PKCS7 > operation: SHA-1, RSA (PKCS 1.5 padding or no padding <- can't tell > which) and 3DES-CBC. > They made some sort of change (unannouced) and since the last SaaS > upgdate WSO client uses SHA-2 (256bit), RSA with OAEP padding and > AES-256-CBC. > Compare the attached PKCS7 messages (libscep_wso*.p7b). I use > https://lapo.it/asn1js ?to decode them easily. > After the change I am unable to decrypt the PKIOperation message on > the server side. > > I suspect the RSA with OAEP is the cause of the problem because using > different client with SHA-256, AES-256-CBC and RSA decryption works > without any problem (libscep_sscep_ok.p7b). > > Best Regards, > Michal Moravec > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From matt at openssl.org Mon Apr 12 18:28:18 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 12 Apr 2021 19:28:18 +0100 Subject: =?UTF-8?Q?Re=3a_error=3a_redefinition_of_=e2=80=98struct_rsa=5fmeth?= =?UTF-8?B?X3N04oCZ?= In-Reply-To: References: Message-ID: <123df866-1fb4-b602-58c3-d1f19431ca70@openssl.org> On 12/04/2021 18:06, Blumenthal, Uri - 0553 - MITLL wrote: > Is there an analog of the "dummy async engine" for the OpenSSL-3.0 Provider? There isn't a simple analog for RSA specifically. There's the test "tls-provider" which implements a toy KEX and KEM algorithm: https://github.com/openssl/openssl/blob/master/test/tls-provider.c For a bare bones skeleton do-nothing provider you can look at the null provider: https://github.com/openssl/openssl/blob/master/providers/nullprov.c You can also have a look at the legacy provider for a (relatively) simple example of how to do ciphers and digests: https://github.com/openssl/openssl/blob/master/providers/legacyprov.c Of course you should also look at the documentation: https://www.openssl.org/docs/manmaster/man7/provider.html If the interest is RSA specifically you may want to look at the provider asymmetric cipher documentation: https://www.openssl.org/docs/manmaster/man7/provider-asym_cipher.html as well as the provider signatures documentation: https://www.openssl.org/docs/manmaster/man7/provider-signature.html and the provider key management documentation: https://www.openssl.org/docs/manmaster/man7/provider-keymgmt.html Matt > > TNX > -- > Regards, > Uri > > There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. > The other is to make it so complex there are no obvious deficiencies. > - C. A. R. Hoare > > > ?On 4/12/21, 12:43, "openssl-users on behalf of Matt Caswell" wrote: > > You can look at the dummy async engine which wraps the standard RSA > functions inside an engine (as well as various other crypto primitives). > You can see it here: > > https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/engines/e_dasync.c > > Matt > > On 12/04/2021 17:32, Shariful Alam wrote: > > Dr. Pauli, > > Goodmorning. Thank you for replying. I found the documentation a bit > > difficult for me to understand. I was wondering if you can direct me to > > a sample skeleton code for creating a custom RSA engine. > > > > Regards, > > Shariful Alam > > > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > > wrote: > > > > You shouldn't be accessing the internal of a private structure. That > > structure was made private for a reason and duplicating it in your > > engine will break when we change the structure's contents. > > > > Your engine should be using the EVP_PKEY_meth_set_* function to do > > what you want (for 1.1.1). For 3.0, you should be writing a > > provider instead. > > > > > > Pauli > > > > On 12/4/21 5:04 am, Shariful Alam wrote: > >> Hello, > >> Hope you guys are doing well. I'm trying to develop an RSA engine. > >> My engine was somewhat working until I try to integrate my engine > >> with an apache httpd server. After installing the httpd from the > >> source code, it turns out that, I can't compile my engine anymore. > >> I get the following error while I try to compile (it was compiling > >> before and I did not make any changes to my engine code). > >> > >> ============================== > >> > >> *$gcc -fPIC -c r_engine.c* > >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? > >> struct rsa_meth_st { > >> ^ > >> In file included from /usr/include/openssl/crypto.h:131:0, > >> from r_engine.c:7: > >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > >> typedef struct rsa_meth_st RSA_METHOD;* > >> > >> ============================= > >> > >> and my *struct rsa_meth_st *looks like the following, > >> > >> ================================================================================ > >> > >> *struct rsa_meth_st { > >> > >> const char *name; > >> int (*rsa_pub_enc) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> int (*rsa_pub_dec) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> int (*rsa_priv_enc) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> int (*rsa_priv_dec) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> > >> int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, > >> BN_CTX *ctx); > >> > >> int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM > >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > >> > >> int (*init) (RSA *rsa); > >> > >> int (*finish) (RSA *rsa); > >> > >> int flags; > >> > >> char *app_data; > >> > >> int (*rsa_sign) (int type, const unsigned char *m, unsigned > >> int m_length, unsigned char *sigret, unsigned int *siglen, const > >> RSA *rsa); > >> > >> int (*rsa_verify) (int dtype, const unsigned char *m, unsigned > >> int m_length, const unsigned char *sigbuf, unsigned int siglen, > >> const RSA *rsa); > >> > >> int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); > >> > >> }; > >> * > >> > >> ================================================================================= > >> > >> My sample skeleton code is here https://pastebin.com/uNXYknEA > >> > >> > >> Can anyone please tell me what I'm I doing wrong? > >> > >> Regards, > >> Shariful Alam > > > From hmurray at megapathdsl.net Mon Apr 12 19:54:57 2021 From: hmurray at megapathdsl.net (Hal Murray) Date: Mon, 12 Apr 2021 12:54:57 -0700 Subject: EVP_MAC_init() in 3.0 alpha 13 In-Reply-To: Message from Tomas Mraz of "Mon, 12 Apr 2021 15:05:37 +0200." <348b006ceb83fd4301438cbb0c57b473a4f4ef23.camel@openssl.org> Message-ID: <20210412195457.754BD40605C@ip-64-139-1-69.sjc.megapath.net> tomas at openssl.org said: > We would have to introduce the special semantics similar to EVP_CipherInit() > with EVP_MAC_init(). I.e., that the EVP_CipherInit() with NULL key keeps the > key schedule from the previous initialization. Seems like a good idea to me. The current code doesn't crash and doesn't generate an error return. Is there any other useful thing that a NULL key could do? I don't have a big picture view. Is there any reason that all of the crypto init type procedures can't keep the current key schedule if called with a NULL key? Am I the only one (so far) that is interested in reusing the current key schedule to save CPU cycles? -- These are my opinions. I hate spam. From wmk589 at yahoo.com Mon Apr 12 20:52:17 2021 From: wmk589 at yahoo.com (Robert Smith) Date: Mon, 12 Apr 2021 20:52:17 +0000 (UTC) Subject: Strange warnings while linking to openssl version 1.1.1k References: <1634550097.1291877.1618260737903.ref@mail.yahoo.com> Message-ID: <1634550097.1291877.1618260737903@mail.yahoo.com> Hi, I am getting the following warning while linking my app to openssl version 1.1.1k. Could you advise what can cause these warnings and how to resolve them? Thanks ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function `ASYNC_is_capable': async_posix.c:(.text+0x48): warning: warning: getcontext is not implemented and will always fail../../../artifacts/openssl/arm3531/lib/libcrypto.a(async.o): In function `async_fibre_swapcontext':async.c:(.text+0x248): warning: warning: setcontext is not implemented and will always fail../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function `async_fibre_makecontext':async_posix.c:(.text+0xe8): warning: warning: makecontext is not implemented and will always fail../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function `ASYNC_is_capable':async_posix.c:(.text+0x48): warning: warning: getcontext is not implemented and will always fail../../../artifacts/openssl/arm3531/lib/libcrypto.a(async.o): In function `async_fibre_swapcontext':async.c:(.text+0x248): warning: warning: setcontext is not implemented and will always fail../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function `async_fibre_makecontext':async_posix.c:(.text+0xe8): warning: warning: makecontext is not implemented and will always fail -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Mon Apr 12 21:48:08 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 12 Apr 2021 22:48:08 +0100 Subject: Strange warnings while linking to openssl version 1.1.1k In-Reply-To: <1634550097.1291877.1618260737903@mail.yahoo.com> References: <1634550097.1291877.1618260737903.ref@mail.yahoo.com> <1634550097.1291877.1618260737903@mail.yahoo.com> Message-ID: On 12/04/2021 21:52, Robert Smith via openssl-users wrote: > Hi, > > I am getting the following warning while linking my app to openssl > version 1.1.1k. Could you advise what can cause these warnings and how > to resolve them? Thanks It looks like your environment cannot support the async functionality. Compile OpenSSL with the "no-async" compile time option to squash these warnings. Matt > > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In > function `ASYNC_is_capable': > async_posix.c:(.text+0x48): warning: warning: getcontext is not > implemented and will always fail > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async.o): In function > `async_fibre_swapcontext': > async.c:(.text+0x248): warning: warning: setcontext is not implemented > and will always fail > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In > function `async_fibre_makecontext': > async_posix.c:(.text+0xe8): warning: warning: makecontext is not > implemented and will always fail > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In > function `ASYNC_is_capable': > async_posix.c:(.text+0x48): warning: warning: getcontext is not > implemented and will always fail > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async.o): In function > `async_fibre_swapcontext': > async.c:(.text+0x248): warning: warning: setcontext is not implemented > and will always fail > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In > function `async_fibre_makecontext': > async_posix.c:(.text+0xe8): warning: warning: makecontext is not > implemented and will always fail > > From Michael.Wojcik at microfocus.com Mon Apr 12 22:17:03 2021 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Mon, 12 Apr 2021 22:17:03 +0000 Subject: FW: Strange warnings while linking to openssl version 1.1.1k In-Reply-To: <1634550097.1291877.1618260737903@mail.yahoo.com> References: <1634550097.1291877.1618260737903.ref@mail.yahoo.com> <1634550097.1291877.1618260737903@mail.yahoo.com> Message-ID: > From: openssl-users On Behalf Of Robert Smith via openssl-users > Sent: Monday, 12 April, 2021 14:52 Your message has a Reply-to header set, directing replies to you rather than to the list. Don't do that; it's rude. Ask a question here, read the reply here. Other people may be interested in the responses. > I am getting the following warning while linking my app to openssl version 1.1.1k. > Could you advise what can cause these warnings and how to resolve them? > ../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function `ASYNC_is_capable': > async_posix.c:(.text+0x48): warning: warning: getcontext is not implemented and will always fail DuckDuckGo is your friend. The first hit for "getcontext is not implemented and will always fail" explains that this is an ARM issue, not an OpenSSL one. Another hit a little further down provides more details. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369453 No one has implemented getcontext, etc, for ARM yet. Consequently they don't work. The warning messages are emitted by the GNU toolchain, which knows the context functions are not available on this platform. OpenSSL can detect this at runtime - see ASYNC_is_capable() in async_posix.c, and its use in e.g. speed.c. Since there is no viable async implementation on Linux-ARM, you won't be able to use the OpenSSL async-job APIs, as described in the OpenSSL docs. If you don't need those APIs, these warnings are irrelevant. -- Michael Wojcik From dipto181 at gmail.com Mon Apr 12 23:56:35 2021 From: dipto181 at gmail.com (Shariful Alam) Date: Mon, 12 Apr 2021 17:56:35 -0600 Subject: =?UTF-8?B?UmU6IGVycm9yOiByZWRlZmluaXRpb24gb2Yg4oCYc3RydWN0IHJzYV9tZXRoX3N04oCZ?= In-Reply-To: References: Message-ID: Mr, Matt, Thanks for the link. It was helpful. However, I'm encountering some weird issues while compiling. I have two machines. In one machine The following code is compiling and working file whereas in another machine I'm receiving *"warning: implicit declaration of function ?RSA_meth_new?" *during compilation. Both of my machine is running - *Linux 4.15.0-140-generic,* - *gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609* - *OpenSSL 1.1.1c 28 May 2019* My simple code is below. //rsa-engine.c =================================== #include #include #include #include #include #include #include #include #include #include #include #include /* Engine Id and Name */ static const char *engine_dasync_id = "dasync"; static const char *engine_dasync_name = "Dummy Async engine support"; static int dasync_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { printf("dasync_pub_enc\n"); return 0; } static int dasync_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { printf("dasync_pub_dec\n"); return 0; } static int dasync_rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding){ printf("dasync_rsa_priv_enc\n"); return 0; } static int dasync_rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding){ printf("dasync_rsa_priv_dec\n"); return 0; } static RSA_METHOD *dasync_rsa_method = NULL; static int bind_dasync(ENGINE *e){ /* Setup RSA_METHOD */ if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0 || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0 || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) == 0 || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) == 0 ) { return 0; } if (!ENGINE_set_id(e, engine_dasync_id) || !ENGINE_set_name(e, engine_dasync_name) || !ENGINE_set_RSA(e, dasync_rsa_method) ) { return 0; } return 1; } static int bind_helper(ENGINE *e, const char *id){ if (!bind_dasync(e)){ printf("2_Error: Inside Bind helper\n"); return 0; } return 1; } IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) IMPLEMENT_DYNAMIC_CHECK_FN() =================================== In the machine where this engine is working, I use the following command to compile my code, - *gcc -fPIC -c rsa-engine.c * - *gcc -shared -o librsa_engine.so -lcrypto rsa-engine.o* And Following command to load my engine, - *openssl engine -t -c `pwd`/librsa_engine.so* The same code on the other machine upon running, *gcc -fPIC -c rsa-engine.c, *I get the following warning, ss at ss:~/Downloads/test_engine$ gcc -fPIC -c rsa-engine.c rsa-engine.c: In function ?bind_dasync?: rsa-engine.c:64:30: warning: implicit declaration of function ?RSA_meth_new? [-Wimplicit-function-declaration] if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL ^ rsa-engine.c:64:28: warning: assignment makes pointer from integer without a cast [-Wint-conversion] if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL ^ rsa-engine.c:65:12: warning: implicit declaration of function ?RSA_meth_set_pub_enc? [-Wimplicit-function-declaration] || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0 ^ rsa-engine.c:66:12: warning: implicit declaration of function ?RSA_meth_set_pub_dec? [-Wimplicit-function-declaration] || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0 ^ rsa-engine.c:67:12: warning: implicit declaration of function ?RSA_meth_set_priv_enc? [-Wimplicit-function-declaration] || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) == 0 ^ rsa-engine.c:68:12: warning: implicit declaration of function ?RSA_meth_set_priv_dec? [-Wimplicit-function-declaration] || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) == 0 can you please tell me why the same code is throwing two different results in different machines? Regards, Shariful Alam On Mon, Apr 12, 2021 at 10:42 AM Matt Caswell wrote: > You can look at the dummy async engine which wraps the standard RSA > functions inside an engine (as well as various other crypto primitives). > You can see it here: > > > https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/engines/e_dasync.c > > Matt > > On 12/04/2021 17:32, Shariful Alam wrote: > > Dr. Pauli, > > Goodmorning. Thank you for replying. I found the documentation a bit > > difficult for me to understand. I was wondering if you can direct me to > > a sample skeleton code for creating a custom RSA engine. > > > > Regards, > > Shariful Alam > > > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > > wrote: > > > > You shouldn't be accessing the internal of a private structure. That > > structure was made private for a reason and duplicating it in your > > engine will break when we change the structure's contents. > > > > Your engine should be using the EVP_PKEY_meth_set_* function to do > > what you want (for 1.1.1). For 3.0, you should be writing a > > provider instead. > > > > > > Pauli > > > > On 12/4/21 5:04 am, Shariful Alam wrote: > >> Hello, > >> Hope you guys are doing well. I'm trying to develop an RSA engine. > >> My engine was somewhat working until I try to integrate my engine > >> with an apache httpd server. After installing the httpd from the > >> source code, it turns out that, I can't compile my engine anymore. > >> I get the following error while I try to compile (it was compiling > >> before and I did not make any changes to my engine code). > >> > >> ============================== > >> > >> *$gcc -fPIC -c r_engine.c* > >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? > >> struct rsa_meth_st { > >> ^ > >> In file included from /usr/include/openssl/crypto.h:131:0, > >> from r_engine.c:7: > >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined > here > >> typedef struct rsa_meth_st RSA_METHOD;* > >> > >> ============================= > >> > >> and my *struct rsa_meth_st *looks like the following, > >> > >> > ================================================================================ > >> > >> *struct rsa_meth_st { > >> > >> const char *name; > >> int (*rsa_pub_enc) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> int (*rsa_pub_dec) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> int (*rsa_priv_enc) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> int (*rsa_priv_dec) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> > >> int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, > >> BN_CTX *ctx); > >> > >> int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM > >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > >> > >> int (*init) (RSA *rsa); > >> > >> int (*finish) (RSA *rsa); > >> > >> int flags; > >> > >> char *app_data; > >> > >> int (*rsa_sign) (int type, const unsigned char *m, unsigned > >> int m_length, unsigned char *sigret, unsigned int *siglen, const > >> RSA *rsa); > >> > >> int (*rsa_verify) (int dtype, const unsigned char *m, unsigned > >> int m_length, const unsigned char *sigbuf, unsigned int siglen, > >> const RSA *rsa); > >> > >> int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); > >> > >> }; > >> * > >> > >> > ================================================================================= > >> > >> My sample skeleton code is here https://pastebin.com/uNXYknEA > >> > >> > >> Can anyone please tell me what I'm I doing wrong? > >> > >> Regards, > >> Shariful Alam > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fabpet at gmail.com Tue Apr 13 06:59:23 2021 From: fabpet at gmail.com (Fabio) Date: Tue, 13 Apr 2021 08:59:23 +0200 Subject: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL 1.1.1j In-Reply-To: References: Message-ID: Hi, no one have some hints? Il giorno gio 8 apr 2021 alle ore 10:53 Fabio ha scritto: > Hi all, > I have a problem upgrading my code from openssl 1.0 to the last 1.1.1j. > Using an older version, I exported the CMS code in order to extend and > modify some calculations. I used i2d_CMS_bio_stream to convert the struct > to DER. > > Using OpenSSL 1.1.1j i had to change all the DECLARE_STACK_OF in > DEFINE_STACK_OF but now, i2d_CMS_bio_stream produces a broken DER. In > particular when in the code i add a stack to the structure and push some > struct into the stack, i2d_CMS_bio_stream does not write correctly the > SEQUENCE (instead i get some 0x06 0x82 0x30 0x82)... > > What should i do to fix this? > Thanks. > > FP > -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas_floodeenjr at mentor.com Tue Apr 13 12:38:45 2021 From: thomas_floodeenjr at mentor.com (Floodeenjr, Thomas) Date: Tue, 13 Apr 2021 12:38:45 +0000 Subject: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL 1.1.1j In-Reply-To: References: Message-ID: Hello, Are there any clues for you here? https://wiki.tizen.org/Security/Tizen_5.X_Migration_from_OpenSSL_1.0.2_to_OpenSSL_1.1.1_guide -Tom From: openssl-users On Behalf Of Fabio Sent: Tuesday, April 13, 2021 12:59 AM To: openssl-users at openssl.org Subject: Re: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL 1.1.1j Hi, no one have some hints? Il giorno gio 8 apr 2021 alle ore 10:53 Fabio > ha scritto: Hi all, I have a problem upgrading my code from openssl 1.0 to the last 1.1.1j. Using an older version, I exported the CMS code in order to extend and modify some calculations. I used i2d_CMS_bio_stream to convert the struct to DER. Using OpenSSL 1.1.1j i had to change all the DECLARE_STACK_OF in DEFINE_STACK_OF but now, i2d_CMS_bio_stream produces a broken DER. In particular when in the code i add a stack to the structure and push some struct into the stack, i2d_CMS_bio_stream does not write correctly the SEQUENCE (instead i get some 0x06 0x82 0x30 0x82)... What should i do to fix this? Thanks. FP -------------- next part -------------- An HTML attachment was scrubbed... URL: From michal.moravec at logicworks.cz Tue Apr 13 14:07:23 2021 From: michal.moravec at logicworks.cz (Michal Moravec) Date: Tue, 13 Apr 2021 14:07:23 +0000 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> Message-ID: <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> Hey Eliot, Thank you for the PKCS7 vs CMS info. # The test you might try wrapping this stuff in PHP I don't use PHP so I decided to do it C. I was able to confirm my suspicion about PKCS7_decrypt not being able to decrypt message where RSA is used with OAEP padding! There are two programs attached (+ scep.h header file they both use): - pkcs7.c is based on code from libscep library I mentioned. - cms.c is very similar to pkcs7.c. I've only replaced the PKCS7 methods and data structures for CMS equivalents. For them to work you need files named "scep.key", "scep.pem" and "pkimessage.p7b" present in current working directory <- I was lazy to use args. My test files are also attached: - pkimessage_rsa.p7b <- RSA encryption (Possibly with PKCS 1.5 padding?) is used. Both pkcs7.c and cms.c are able to decrypt the payload. - pkimessage_rsaoaep.p7b <- RSA encryption with OAEP padding is used. Only cms.c is able to decrypt the payload. - scep.key and scep.pem (SCEP service certificate and private key I use for testing). # How to fix my problem There are multiple routes for me to solve this problem: 1. Convince SCEP client vendor (VMware) to let me configure encryption algorithm types or revert the change altogether (Still don't know if it was intentional). 2. Report this as a bug to OpenSSL and hope it gets fixed. 3. Replace the PKCS7_decrypt for CMS_decrypt in the libscep library. ## (1) I have opened a ticket with their support week ago but it is _very_ hard to get hold of someone who has any idea what I am talking about. ## (2) Back to my question from the original email. If it is indeed not capable of doing that would it be a bug or desired behavior? Should I report this as a bug? If yes is there any chance this might be fixed soon (meaning in 1.1.1 branch instead of 3.0)? ## (3) This is something I can do myself but there are two approaches. A. Easy. Replace only PKCS7_decrypt method for CMS_decrypt method. B. Hard. Rework the entire library to use CMS instead of PKCS7. I would very like to go for the Easy choice here for two reasons. I am not able to do proper testing for such massive change. For the same reason (plus one other) it is not very likely the big change would be accepted upstream -> It there an easyway to convert PKCS7 struct into CMS_ContentInfo struct? OR If there is not an easy way what would be a hard way to do it? Michal Moravec On 12. 4. 2021, at 19:24, Eliot Lear > wrote: Hi Michal, CMS has limited backward compatibility with PKCS#7. This is discussed in RFC 5652, and includes some suggestions as to how to some issues that might crop up. At least the old draft of SCEP very specifically does NOT specify CMS, but that might not have stopped someone from using it. These docs tend to be quite sloppy. For example, I know one that uses both PEM and DER encodings on the wire. Drives me batty. For enrolment this is particularly embarrassing, considering its sensitivity. As a sysadmin, you might try wrapping this stuff in PHP and just trying both the pkcs_decrypt and cms_decrypt calls and seeing if either work. Eliot On 12.04.21 14:13, Michal Moravec wrote: Hello, I am a system administrator trying to integrate two pieces of software using the SCEP protocol (more on that later in the More Context section) . Integration was working but one side (SaaS product) changed the algorithms it uses for signing and encryption within the PKCS7 message. After that I am unable to decrypt the PKCS7 messages on my end and get the error: "ERROR 139701710696896:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:597: message_static_functions.c:221: decryption failed" >From my current state of investigation it looks highly likely there is a problem with PKCS7_decrypt method which might be unable decrypt the PKCS7/CMS payload if the RSA is used together with OAEP padding. 1. What is a diffrences between pkcs7 https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7 and CMS https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/cms implementations? If I understand correctly CMS is just newer name for PKCS7 adopted by newer RFCs? Do these two implementations overlap? Or are there some kind of major diffrence like PKCS7 module being there for compatibility with older code and CMS is basically replacement to use for the future? 2. Is PKCS7_decrypt method in https://github.com/openssl/openssl/blob/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7/pk7_smime.c capable of decrypting the PKCS7 payload whebf OAEP padding is used together with RSA to encrypt it? If it is indeed not capable of doing that would it be a bug or desired behavior? If found a few pointers: - https://stackoverflow.com/questions/56941480/how-to-set-padding-oaep-for-pkcs7-decrypt-function-using-openssl <- Developer is unable to use PKCS7_decrypt with RSA OAEP and forced to switch to CMS_decrypt method. - https://stackoverflow.com/questions/34304570/how-to-resolve-the-evp-decryptfinal-ex-bad-decrypt-during-file-decryption <- Padding being a source problem of EVP_DecryptFinal_ex:bad decrypt error message. 3. How to replace PKCS7_decrypt method CMS_decrypt as easily as possible? I have no hard proof of the PKCS7_decrypt being the culprit here so I started working on simple C program to reproduce the issue. Problem is my C skills are very rusty and I have no experience working with OpenSSL C library. int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags); int CMS_decrypt (CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont, BIO *out, unsigned int flags); Methods are very similiar but input data format it different. It there an easyway to convert PKCS7 struct into CMS_ContentInfo struct? Original usage of PKCS7_decrypt here -> https://github.com/openxpki/libscep/blob/4067eae283ce0b3025d414e9d3b6af30def8c093/src/message_static_functions.c # More Context My goal is to obtain signed client certificate using the SCEP protocol. SCEP server: OpenXPKI https://github.com/openxpki/openxpki (Perl) with libscep https://github.com/openxpki/libscep library (C). libscep used the OpenSSL. SCEP client: VMware Workspace ONE UEM SaaS (WSO). Black box. From the error codes client produces I strongly suspect they use OpenSSL within .Net code. Originally WSO SCEP client used these three algorithms for PKCS7 operation: SHA-1, RSA (PKCS 1.5 padding or no padding <- can't tell which) and 3DES-CBC. They made some sort of change (unannouced) and since the last SaaS upgdate WSO client uses SHA-2 (256bit), RSA with OAEP padding and AES-256-CBC. Compare the attached PKCS7 messages (libscep_wso*.p7b). I use https://lapo.it/asn1js to decode them easily. After the change I am unable to decrypt the PKIOperation message on the server side. I suspect the RSA with OAEP is the cause of the problem because using different client with SHA-256, AES-256-CBC and RSA decryption works without any problem (libscep_sscep_ok.p7b). Best Regards, Michal Moravec -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pkimessage_rsa.p7b Type: application/octet-stream Size: 3994 bytes Desc: pkimessage_rsa.p7b URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pkimessage_rsaoaep.p7b Type: application/octet-stream Size: 4104 bytes Desc: pkimessage_rsaoaep.p7b URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: scep.key Type: application/octet-stream Size: 3294 bytes Desc: scep.key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: scep.pem Type: application/x-x509-ca-cert Size: 1394 bytes Desc: scep.pem URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cms.c Type: application/octet-stream Size: 2759 bytes Desc: cms.c URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: scep.h Type: application/octet-stream Size: 9768 bytes Desc: scep.h URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pkcs7.c Type: application/octet-stream Size: 2511 bytes Desc: pkcs7.c URL: From rkundla at gmail.com Tue Apr 13 15:05:52 2021 From: rkundla at gmail.com (Ron Kundla) Date: Tue, 13 Apr 2021 11:05:52 -0400 Subject: X509_sign_ctx and ENGINE Message-ID: Hello, I am trying to adapt a piece of software to use an nCipher HSM using OpenSSL 1.1.1j along with the nfkm.dll engine library from nCipher. One function uses X509_sign_ctx() to calculate a SHA256 digest and sign a X509 certificate using RSA-PSS. I am running a debug version of x64 on Windows and I get the following error while executing the function rsa_pmeth.c:RSA_private_encrypt() error:06078081:digital envelope routines:EVP_PKEY_get0_DSA:expecting a dsa key This is the code that generates the error above: if (rsa->d == NULL) { RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY); BN_free(d); goto err; } The debugger shows me that the RSA structure does not have any RSA key data inside of it, which would be due to the fact that it is in the HSM. I did use ENGINE_load_private_key() to create a PKEY that does show references to the engine structure and associated methods. My first guess is that X509_sign_ctx is not 'ENGINE' compatible. While the PKEY has an engine associated with it, there may not be the hooks to invoke the ENGINE private encryption method. Is there another way I can use OpenSSL functions to allow it to work with the ENGINE to do the exact same thing mentioned above? Or is the only way to make this work requrire X509_sign_ctx to be modified to support ENGINE operation? Thanks, Ron From janjust at nikhef.nl Tue Apr 13 16:18:42 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Tue, 13 Apr 2021 18:18:42 +0200 Subject: X509_sign_ctx and ENGINE In-Reply-To: References: Message-ID: Hi, On 13/04/21 17:05, Ron Kundla wrote: > Hello, > > I am trying to adapt a piece of software to use an nCipher HSM using > OpenSSL 1.1.1j along with the nfkm.dll engine library from nCipher. > > One function uses X509_sign_ctx() to calculate a SHA256 digest and > sign a X509 certificate using RSA-PSS. > > I am running a debug version of x64 on Windows and I get the following > error while executing the function rsa_pmeth.c:RSA_private_encrypt() > > error:06078081:digital envelope routines:EVP_PKEY_get0_DSA:expecting a dsa key > > This is the code that generates the error above: > > if (rsa->d == NULL) { > RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY); > BN_free(d); > goto err; > } > > The debugger shows me that the RSA structure does not have any RSA key > data inside of it, which would be due to the fact that it is in the > HSM. I did use ENGINE_load_private_key() to create a PKEY that does > show references to the engine structure and associated methods. > > My first guess is that X509_sign_ctx is not 'ENGINE' compatible. While > the PKEY has an engine associated with it, there may not be the hooks > to invoke the ENGINE private encryption method. > > Is there another way I can use OpenSSL functions to allow it to work > with the ENGINE to do the exact same thing mentioned above? Or is the > only way to make this work requrire X509_sign_ctx to be modified to > support ENGINE operation? > > I'd suggest to read the source code of the openssl 'req' command (./apps/req.c) , as it is capable of generating an X509 request from a token;? as a matter of fact, you will find that that code calls X509_sign_ct(...) So I'd get the certificate request generation working first using ? openssl req -engine pkcs11 -keyform engine -key [:]12345678 -new -text ?? -out newcert.csr -config openssl.cnf -subj $SUBJECT first with the nCipher HSM and if that works, then look at your code. HTH, JJK From rkundla at gmail.com Tue Apr 13 19:02:43 2021 From: rkundla at gmail.com (Ron Kundla) Date: Tue, 13 Apr 2021 15:02:43 -0400 Subject: X509_sign_ctx and ENGINE In-Reply-To: References: Message-ID: Thanks Jan, I'll check it out and let you know how it goes. Regards, Ron On Tue, Apr 13, 2021 at 12:18 PM Jan Just Keijser wrote: > > Hi, > > On 13/04/21 17:05, Ron Kundla wrote: > > Hello, > > > > I am trying to adapt a piece of software to use an nCipher HSM using > > OpenSSL 1.1.1j along with the nfkm.dll engine library from nCipher. > > > > One function uses X509_sign_ctx() to calculate a SHA256 digest and > > sign a X509 certificate using RSA-PSS. > > > > I am running a debug version of x64 on Windows and I get the following > > error while executing the function rsa_pmeth.c:RSA_private_encrypt() > > > > error:06078081:digital envelope routines:EVP_PKEY_get0_DSA:expecting a dsa key > > > > This is the code that generates the error above: > > > > if (rsa->d == NULL) { > > RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_MISSING_PRIVATE_KEY); > > BN_free(d); > > goto err; > > } > > > > The debugger shows me that the RSA structure does not have any RSA key > > data inside of it, which would be due to the fact that it is in the > > HSM. I did use ENGINE_load_private_key() to create a PKEY that does > > show references to the engine structure and associated methods. > > > > My first guess is that X509_sign_ctx is not 'ENGINE' compatible. While > > the PKEY has an engine associated with it, there may not be the hooks > > to invoke the ENGINE private encryption method. > > > > Is there another way I can use OpenSSL functions to allow it to work > > with the ENGINE to do the exact same thing mentioned above? Or is the > > only way to make this work requrire X509_sign_ctx to be modified to > > support ENGINE operation? > > > > > I'd suggest to read the source code of the openssl 'req' command > (./apps/req.c) , as it is capable of generating an X509 request from a > token; as a matter of fact, you will find that that code calls > X509_sign_ct(...) > > So I'd get the certificate request generation working first using > openssl req -engine pkcs11 -keyform engine -key [:]12345678 > -new -text > -out newcert.csr -config openssl.cnf -subj $SUBJECT > > first with the nCipher HSM and if that works, then look at your code. > > HTH, > > JJK > From fabpet at gmail.com Wed Apr 14 07:44:38 2021 From: fabpet at gmail.com (Fabio) Date: Wed, 14 Apr 2021 09:44:38 +0200 Subject: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL 1.1.1j In-Reply-To: References: Message-ID: Thank you, It is a very useful resource but my problem is actually a wrong conversion of the stack of structures to ASN1 SEQUENCE in DER. What actually changed between 1.0.2 and 1.1.1? Thanks F Il giorno mar 13 apr 2021 alle ore 14:38 Floodeenjr, Thomas < thomas_floodeenjr at mentor.com> ha scritto: > Hello, > > > > Are there any clues for you here? > > > > > https://wiki.tizen.org/Security/Tizen_5.X_Migration_from_OpenSSL_1.0.2_to_OpenSSL_1.1.1_guide > > > > -Tom > > > > *From:* openssl-users *On Behalf Of * > Fabio > *Sent:* Tuesday, April 13, 2021 12:59 AM > *To:* openssl-users at openssl.org > *Subject:* Re: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL > 1.1.1j > > > > Hi, > > no one have some hints? > > > > Il giorno gio 8 apr 2021 alle ore 10:53 Fabio ha > scritto: > > Hi all, > > I have a problem upgrading my code from openssl 1.0 to the last 1.1.1j. > > Using an older version, I exported the CMS code in order to extend and > modify some calculations. I used i2d_CMS_bio_stream to convert the struct > to DER. > > > > Using OpenSSL 1.1.1j i had to change all the DECLARE_STACK_OF in > DEFINE_STACK_OF but now, i2d_CMS_bio_stream produces a broken DER. In > particular when in the code i add a stack to the structure and push some > struct into the stack, i2d_CMS_bio_stream does not write correctly the > SEQUENCE (instead i get some 0x06 0x82 0x30 0x82)... > > > > What should i do to fix this? > > Thanks. > > > > FP > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From b_duvvuri at yahoo.com Wed Apr 14 10:47:33 2021 From: b_duvvuri at yahoo.com (Bala Duvvuri) Date: Wed, 14 Apr 2021 10:47:33 +0000 (UTC) Subject: OpenSSL 3.0 - providing entropy to EVP_RAND ? In-Reply-To: <1da19067-8dbb-f832-f3bc-79dbd7b84eb8@openssl.org> References: <1644797849.3514421.1616566460759.ref@mail.yahoo.com> <1644797849.3514421.1616566460759@mail.yahoo.com> <1da19067-8dbb-f832-f3bc-79dbd7b84eb8@openssl.org> Message-ID: <406505205.1959745.1618397253247@mail.yahoo.com> 1> >>The best way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG. See, for example, test/testutil/fakerandom.c for how to do this. The key is to set up the seed source before the RNG subsystem is first used. In our case we provide the entropy and nonce from hardware sources (as its on embedded platform) as requested by DRBG in older version. Now, if we setup a custom provider and use it as parent of the primary DRBG, its not clear how the entropy and nonce from this provider will be accessed, which API is invoked for the entropy/nonce consumption (any specific callbacks set)? Can you please explain the steps or example of the usage? 2> Also, we need set DRBG for CAVS test (Input: EntropyInput, Nonce, PersonalizationString, AdditionalInput, EntropyInputPR, AdditionalInput, EntropyInputPR), with OpenSSL 1.1.1, the below steps were done: RAND_DRBG_new(NID_aes_256_ctr, RAND_DRBG_FLAGS, NULL); RAND_DRBG_set_callbacks // This will setup to return the provided entropy and nonce inputs RAND_DRBG_instantiate // Pass personalization string. RAND_DRBG_generate Can you kindly let me know the equivalent steps with OpenSSL 3.0? Thank you for your help in this. Thanks Bala On Wednesday, 24 March, 2021, 11:56:18 am IST, Dr Paul Dale wrote: RAND_add() forces a reseed to the DRBGs and uses the passed material (not as entropy but as additional input). EVP_RAND_reseed() is a more direct interface but remember that the built in DRBGs are free to ignore what the user claims is entropy.? History has shown us time and again that entropy is often anything but. The best way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG.? See, for example, test/testutil/fakerandom.c for how to do this.? The key is to set up the seed source before the RNG subsystem is first used. If you simply want to replace the built-in DRBGs with a real random source, create a provider and set the appropriate environment/config variables. Pauli On 24/3/21 4:14 pm, Bala Duvvuri via openssl-users wrote: Hi All,In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for entropy and nonce generation.How can this be achieved with EVP_RAND implementation i.e. does it allow entropy to be provided? ThanksBala -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sunil.Paramashivaiah at rbbn.com Wed Apr 14 11:26:21 2021 From: Sunil.Paramashivaiah at rbbn.com (Paramashivaiah, Sunil) Date: Wed, 14 Apr 2021 11:26:21 +0000 Subject: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY In-Reply-To: References: Message-ID: Hi Richard, Thanks for the reply. Maybe you misunderstood my query. As you suggested, I will use EVP_PKEY_CTX_new to create ctx for using it in "EVP_PKEY_encrypt" and "EVP_PKEY_decrypt". But to create ctx , EVP_PKEY_CTX_new takes input parameter as EVP_PKEY. In our code with 1.0.2 version, "RSA_public_encrypt" and "RSA_public_decrypt" APIs were used and input parameter to these APIs was RSA key obtained using APIs "PEM_read_bio_RSAPublicKey" and "PEM_read_bio_RSA_PUBKEY" from two different kinds of pem format public keys. Please note that pem format Public key used is different in "PEM_read_bio_RSAPublicKey" and "PEM_read_bio_RSA_PUBKEY". one begins with "-----BEGIN PUBLIC KEY-----" and other begins with "-----BEGIN RSA PUBLIC KEY-----" and seems to be encoded differently -------------------------------------------------------------------------------------------------------------------------------------------------- OLD CODE: RSA *rsa = NULL; BIO *keybio ; keybio = BIO_new_mem_buf((void*)pembublickey, -1); // !!! if (!keybio) { return NULL; } if (isPKCS1 == false) { rsa = PEM_read_bio_RSA_PUBKEY(keybio, NULL, NULL, NULL); } else { rsa = PEM_read_bio_RSAPublicKey(keybio, NULL, NULL, NULL); } -------------------------------------------------------------------------------------------------------------------------------------------------- Now my problem is to create EVP_PKEY to use it as input parameter to EVP_PKEY_CTX_new for different kind of pem public key I need two different APIs equivalent to PEM_read_bio_RSA_PUBKEY and PEM_read_bio_RSAPublicKey. From the Manual page, I found the replacement for "PEM_read_bio_RSA_PUBKEY" as "PEM_read_bio_PUBKEY" to get EVP_PKEY But I am unable to find replacement for PEM_read_bio_RSAPublicKey to get EVP_PKEY from 2nd type of pem public key. Please let me know what to use instead of PEM_read_bio_RSAPublicKey. ------------------------------------------------------------------------------------------------------------------------------------------------------------- NEW CODE: EVP_PKEY *evpkey = NULL; BIO *keybio ; keybio = BIO_new_mem_buf((void*)key, -1); if (!keybio) { return NULL; } if ( isPKCS1 == false ) { evpkey = PEM_read_bio_PUBKEY(keybio, NULL, NULL, NULL); } else { // PROBLEM: what is the alternate API to replace PEM_read_bio_RSAPublicKey } ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Thanks and Regards, Sunil ________________________________ From: openssl-users on behalf of openssl-users-request at openssl.org Sent: 12 April 2021 22:12 To: openssl-users at openssl.org Subject: openssl-users Digest, Vol 77, Issue 20 NOTICE: This email was received from an EXTERNAL sender. Send openssl-users mailing list submissions to openssl-users at openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://clicktime.symantec.com/37QJxo4UvenQwPJPNZ1QT2K6H2?u=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users or, via email, send a message with subject or body 'help' to openssl-users-request at openssl.org You can reach the person managing the list at openssl-users-owner at openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: EVP_MAC_init() in 3.0 alpha 13 (Hal Murray) 2. Re: EVP_MAC_init() in 3.0 alpha 13 (Tomas Mraz) 3. Re: error: redefinition of ?struct rsa_meth_st? (Shariful Alam) 4. Re: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY (Richard Levitte) 5. Re: error: redefinition of ?struct rsa_meth_st? (Matt Caswell) ---------------------------------------------------------------------- Message: 1 Date: Mon, 12 Apr 2021 05:48:57 -0700 From: Hal Murray To: Dr Paul Dale Cc: openssl-users at openssl.org Subject: Re: EVP_MAC_init() in 3.0 alpha 13 Message-ID: <20210412124857.623AB40605C at ip-64-139-1-69.sjc.megapath.net> Content-Type: text/plain; charset=us-ascii > Did you attempt to pass NULL for the key and zero for it's length to the > EVP_MAC_init() call? Yes. We can do better. If we have to use dup/free, we can move the EVP_MAC_init() to before the dup, out of the timing path. My model is that initialization is 2 parts. The first is turning the key into a big table. The second is initializing a small amount of state that is whatever is needed/updated by EVP_MAC_update(). I was hoping that EVP_MAC_init() with NULL key would bypass the first step and do the second. If the second step involves a lot of computation we get into the space/time tradeoff of computing it during step one and saving it in case EVP_MAC_init is called with NULL key. If there was a copy operation we could use it instead of dup/free. Where is the code that does the key setup? I expect it will be obvious after I see it, but I don't know my way around that linkage yet. I'm using the default AES-128-CBC. --------- I don't think I've said it explicitly, but thanks for the change to the API for EVP_MAC_init() ---------- Should PKEY be a potentially interesting approach for something like this? I think it was suggested months ago. One advantage is that the code works with 1.1.1. It's horribly slow in 3.0 alpha14: 0.777 CMAC 7.533 PKEY 3.323 PKEY preload 0.392 EVP_MAC 0.308 EVP_MAC Preload with dup+free 0.102 EVP_MAC Preload (no dup, wrong answer) 1.1.1k: 0.285 CMAC 0.550 PKEY 0.196 PKEY preload -- These are my opinions. I hate spam. ------------------------------ Message: 2 Date: Mon, 12 Apr 2021 15:05:37 +0200 From: Tomas Mraz To: Hal Murray , Dr Paul Dale Cc: openssl-users at openssl.org Subject: Re: EVP_MAC_init() in 3.0 alpha 13 Message-ID: <348b006ceb83fd4301438cbb0c57b473a4f4ef23.camel at openssl.org> Content-Type: text/plain; charset="UTF-8" On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote: > > Did you attempt to pass NULL for the key and zero for it's length > > to the > > EVP_MAC_init() call? > > Yes. > > We can do better. If we have to use dup/free, we can move the > EVP_MAC_init() > to before the dup, out of the timing path. > > My model is that initialization is 2 parts. The first is turning the > key into > a big table. The second is initializing a small amount of state that > is > whatever is needed/updated by EVP_MAC_update(). > > I was hoping that EVP_MAC_init() with NULL key would bypass the first > step and > do the second. We would have to introduce the special semantics similar to EVP_CipherInit() with EVP_MAC_init(). I.e., that the EVP_CipherInit() with NULL key keeps the key schedule from the previous initialization. > If the second step involves a lot of computation we get into the > space/time > tradeoff of computing it during step one and saving it in case > EVP_MAC_init is > called with NULL key. > > If there was a copy operation we could use it instead of dup/free. I do not think we want to introduce the copy operation. We are trying to get out of the copy() pattern as it is much harder to handle correctly than the dup(). > Where is the code that does the key setup? I expect it will be > obvious after > I see it, but I don't know my way around that linkage yet. I'm using > the > default AES-128-CBC. > > --------- > > I don't think I've said it explicitly, but thanks for the change to > the API > for EVP_MAC_init() > > ---------- > > Should PKEY be a potentially interesting approach for something like > this? I > think it was suggested months ago. One advantage is that the code > works with > 1.1.1. > > It's horribly slow in 3.0 > > alpha14: > 0.777 CMAC > 7.533 PKEY > 3.323 PKEY preload > 0.392 EVP_MAC > 0.308 EVP_MAC Preload with dup+free > 0.102 EVP_MAC Preload (no dup, wrong answer) > > 1.1.1k: > 0.285 CMAC > 0.550 PKEY > 0.196 PKEY preload > > > -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] ------------------------------ Message: 3 Date: Mon, 12 Apr 2021 10:32:32 -0600 From: Shariful Alam To: Dr Paul Dale Cc: openssl-users at openssl.org Subject: Re: error: redefinition of ?struct rsa_meth_st? Message-ID: Content-Type: text/plain; charset="utf-8" Dr. Pauli, Goodmorning. Thank you for replying. I found the documentation a bit difficult for me to understand. I was wondering if you can direct me to a sample skeleton code for creating a custom RSA engine. Regards, Shariful Alam On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale wrote: > You shouldn't be accessing the internal of a private structure. That > structure was made private for a reason and duplicating it in your engine > will break when we change the structure's contents. > > Your engine should be using the EVP_PKEY_meth_set_* function to do what > you want (for 1.1.1). For 3.0, you should be writing a provider instead. > > > Pauli > > On 12/4/21 5:04 am, Shariful Alam wrote: > > Hello, > Hope you guys are doing well. I'm trying to develop an RSA engine. My > engine was somewhat working until I try to integrate my engine with an > apache httpd server. After installing the httpd from the source code, it > turns out that, I can't compile my engine anymore. I get the > following error while I try to compile (it was compiling before and I did > not make any changes to my engine code). > > ============================== > > *$gcc -fPIC -c r_engine.c* > > > > > > > *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? struct > rsa_meth_st { ^ In file included from > /usr/include/openssl/crypto.h:131:0, from r_engine.c:7: > /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > typedef struct rsa_meth_st RSA_METHOD;* > > ============================= > > and my *struct rsa_meth_st *looks like the following, > > > ================================================================================ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *struct rsa_meth_st { const char *name; int (*rsa_pub_enc) (int > flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); > int (*rsa_pub_dec) (int flen, const unsigned char *from, unsigned char > *to, RSA *rsa, int padding); int (*rsa_priv_enc) (int flen, const > unsigned char *from, unsigned char *to, RSA *rsa, int padding); int > (*rsa_priv_dec) (int flen, const unsigned char *from, unsigned char *to, > RSA *rsa, int padding); int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM > *I, RSA *rsa, BN_CTX *ctx); int (*bn_mod_exp) (BIGNUM *r, const BIGNUM > *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > int (*init) (RSA *rsa); int (*finish) (RSA *rsa); int flags; > char *app_data; int (*rsa_sign) (int type, const unsigned char *m, > unsigned int m_length, unsigned char *sigret, unsigned int *siglen, const > RSA *rsa); int (*rsa_verify) (int dtype, const unsigned char *m, > unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, > const RSA *rsa); int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, > BN_GENCB *cb); }; * > > > ================================================================================= > > My sample skeleton code is here https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > > Can anyone please tell me what I'm I doing wrong? > > Regards, > Shariful Alam > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 4 Date: Mon, 12 Apr 2021 18:34:51 +0200 From: Richard Levitte To: "openssl-users at openssl.org" Subject: Re: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY Message-ID: <87h7kba2c4.wl-levitte at openssl.org> Content-Type: text/plain; charset=US-ASCII On Mon, 12 Apr 2021 06:24:32 +0200, Paramashivaiah, Sunil wrote: > > But, I couldn't find equivallent API to replace "PEM_read_bio_RSAPublicKey" to get EVP_PKEY for > creating EVP ctx(EVP_PKEY_CTX_new) to use in "EVP_PKEY_encrypt" and "EVP_PKEY_decrypt". I believe that one of these functions would help you: EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e); EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_pkey(OSSL_LIB_CTX *libctx, EVP_PKEY *pkey, const char *propquery); Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project https://clicktime.symantec.com/3Mg1WCF9H66r4CYkJ5HJcfU6H2?u=http%3A%2F%2Fwww.openssl.org%2F~levitte%2F ------------------------------ Message: 5 Date: Mon, 12 Apr 2021 17:42:20 +0100 From: Matt Caswell To: openssl-users at openssl.org Subject: Re: error: redefinition of ?struct rsa_meth_st? Message-ID: Content-Type: text/plain; charset=utf-8; format=flowed You can look at the dummy async engine which wraps the standard RSA functions inside an engine (as well as various other crypto primitives). You can see it here: https://clicktime.symantec.com/36mWBLRZPoyFNTFYDsD2yZ26H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_1_1_1-stable%2Fengines%2Fe_dasync.c Matt On 12/04/2021 17:32, Shariful Alam wrote: > Dr. Pauli, > Goodmorning. Thank you for replying. I found the documentation a bit > difficult for me to understand. I was wondering if you can direct me to > a sample skeleton code for creating a custom RSA engine. > > Regards, > Shariful Alam > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > wrote: > > You shouldn't be accessing the internal of a private structure. That > structure was made private for a reason and duplicating it in your > engine will break when we change the structure's contents. > > Your engine should be using the EVP_PKEY_meth_set_* function to do > what you want (for 1.1.1).? For 3.0, you should be writing a > provider instead. > > > Pauli > > On 12/4/21 5:04 am, Shariful Alam wrote: >> Hello, >> Hope you guys are doing well. I'm trying to develop an RSA engine. >> My engine was somewhat working until?I try to integrate my engine >> with an apache httpd server. After installing the httpd from the >> source code, it turns out that, I can't compile my engine anymore. >> I get the following?error while I try to compile (it was compiling >> before and I did not make any changes to my engine code). >> >> ============================== >> >> *$gcc -fPIC -c r_engine.c* >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? >> ?struct rsa_meth_st { >> ? ? ? ? ^ >> In file included from /usr/include/openssl/crypto.h:131:0, >> ? ? ? ? ? ? ? ? ?from r_engine.c:7: >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here >> ?typedef struct rsa_meth_st RSA_METHOD;* >> >> ============================= >> >> and my *struct rsa_meth_st *looks like the following, >> >> ================================================================================ >> >> *struct rsa_meth_st { >> >> ? ? const char *name; >> ? ? int (*rsa_pub_enc) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> ? ? int (*rsa_pub_dec) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> ? ? int (*rsa_priv_enc) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> ? ? int (*rsa_priv_dec) (int flen, const unsigned char *from, >> unsigned char *to, RSA *rsa, int padding); >> >> ? ? int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, >> BN_CTX *ctx); >> >> ? ? int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); >> >> ? ? int (*init) (RSA *rsa); >> >> ? ? int (*finish) (RSA *rsa); >> >> ? ? int flags; >> >> ? ? char *app_data; >> >> ? ? int (*rsa_sign) (int type, const unsigned char *m, unsigned >> int m_length, unsigned char *sigret, unsigned int *siglen, const >> RSA *rsa); >> >> ? ? int (*rsa_verify) (int dtype, const unsigned char *m, unsigned >> int m_length, const unsigned char *sigbuf, unsigned int siglen, >> const RSA *rsa); >> >> ? ? int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); >> >> }; >> * >> >> ================================================================================= >> >> My sample skeleton code is here https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA >> >> >> Can anyone please tell me what I'm I doing wrong? >> >> Regards, >> Shariful Alam > ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users at openssl.org https://clicktime.symantec.com/37QJxo4UvenQwPJPNZ1QT2K6H2?u=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users ------------------------------ End of openssl-users Digest, Vol 77, Issue 20 ********************************************* Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Wed Apr 14 11:31:54 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Wed, 14 Apr 2021 21:31:54 +1000 Subject: OpenSSL 3.0 - providing entropy to EVP_RAND ? In-Reply-To: <406505205.1959745.1618397253247@mail.yahoo.com> References: <1644797849.3514421.1616566460759.ref@mail.yahoo.com> <1644797849.3514421.1616566460759@mail.yahoo.com> <1da19067-8dbb-f832-f3bc-79dbd7b84eb8@openssl.org> <406505205.1959745.1618397253247@mail.yahoo.com> Message-ID: For setting up a parent for a DRBG, look at /providers/implementations/rands/test_rng.c which produces seed material (test_rng_generate) and nonces (test_rng_nonce).? The built in DRBG's don't need the nonce, they will act as per SP800-90Ar1 section 9.1 with a nonce available from their parent. /providers/implementations/rands/seed_src.c is the OpenSSL seed source and it doesn't supply nonces. For the CAVS tests, look at test/acvp_test.c or test/evp_test.c which both include code to run NISTs tests. Pauli On 14/4/21 8:47 pm, Bala Duvvuri wrote: > 1> >>The best way to do this, is to create a provider which acts as a > seed source and to then use this as the parent of the primary DRBG. > See, for example, test/testutil/fakerandom.c for how to do this. The > key is to set up the seed source before the RNG subsystem is first used. > > In our case we provide the entropy and nonce from hardware sources (as > its on embedded platform) as requested by DRBG in older version. > Now, if we setup a custom provider and use it as parent of the primary > DRBG, its not clear how the entropy and nonce from this provider will > be accessed, which API is invoked for the entropy/nonce consumption > (any specific callbacks set)? Can you please explain the steps or > example of the usage? > > 2> Also, we need set DRBG for CAVS test (Input: EntropyInput, Nonce, > PersonalizationString, AdditionalInput, EntropyInputPR, > AdditionalInput, EntropyInputPR), with OpenSSL 1.1.1, the below steps > were done: > > RAND_DRBG_new(NID_aes_256_ctr, RAND_DRBG_FLAGS, NULL); > RAND_DRBG_set_callbacks // This will setup to return the provided > entropy and nonce inputs > RAND_DRBG_instantiate // Pass personalization string. > RAND_DRBG_generate > > Can you kindly let me know the equivalent steps with OpenSSL 3.0? > > > Thank you for your help in this. > > Thanks > Bala > > On Wednesday, 24 March, 2021, 11:56:18 am IST, Dr Paul Dale > wrote: > > > RAND_add() forces a reseed to the DRBGs and uses the passed material > (not as entropy but as additional input). > > EVP_RAND_reseed() is a more direct interface but remember that the > built in DRBGs are free to ignore what the user claims is /entropy/.? > History has shown us time and again that /entropy/ is often anything but. > > The *best* way to do this, is to create a provider which acts as a > seed source and to then use this as the parent of the primary DRBG.? > See, for example, test/testutil/fakerandom.c for how to do this.? The > key is to set up the seed source before the RNG subsystem is first used. > > If you simply want to replace the built-in DRBGs with a real random > source, create a provider and set the appropriate environment/config > variables. > > > Pauli > > > On 24/3/21 4:14 pm, Bala Duvvuri via openssl-users wrote: >> Hi All,In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for entropy and nonce generation.How can this be achieved with EVP_RAND implementation i.e. does it allow entropy to be provided? ThanksBala > -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1nagarjun1 at gmail.com Wed Apr 14 18:13:47 2021 From: 1nagarjun1 at gmail.com (Nagarjun J) Date: Wed, 14 Apr 2021 23:43:47 +0530 Subject: SP800 56A rev3 patch Message-ID: Hi, I am looking to patch FOM for sp800 56 rev3 support . Does openssl-3.0 implements this requirement? Is there any patches available? Regards Nag -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1nagarjun1 at gmail.com Wed Apr 14 18:19:47 2021 From: 1nagarjun1 at gmail.com (Nagarjun J) Date: Wed, 14 Apr 2021 23:49:47 +0530 Subject: Sp800 56a rev3 Message-ID: Hi, Suppose if any one submitted for FIPS 140-2 certification in Nov 2020 , what is the deadline to meet sp800 56 a rev3 revision requirement to avoid certificate going into historical list. And if we meet requirement before deadline what is the validity of certificate. And do we need to test this with old cmvp or new acvp procedure. Regards Nag -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Wed Apr 14 22:12:25 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Thu, 15 Apr 2021 08:12:25 +1000 Subject: Sp800 56a rev3 In-Reply-To: References: Message-ID: These are all questions for your FIPS lab. Pauli On 15/4/21 4:19 am, Nagarjun J wrote: > Hi, > > Suppose if any one submitted for FIPS 140-2 certification in Nov 2020 > , what is the deadline to meet sp800 56 a rev3 revision requirement to > avoid certificate going into historical list. And if we meet > requirement before deadline what is the validity of certificate. And > do we need to test this with old cmvp or new acvp procedure. > > Regards > Nag From pauli at openssl.org Wed Apr 14 22:31:43 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Thu, 15 Apr 2021 08:31:43 +1000 Subject: OpenSSL 3.0 - providing entropy to EVP_RAND ? In-Reply-To: <1433467435.2017681.1618409383479@mail.yahoo.com> References: <1644797849.3514421.1616566460759.ref@mail.yahoo.com> <1644797849.3514421.1616566460759@mail.yahoo.com> <1da19067-8dbb-f832-f3bc-79dbd7b84eb8@openssl.org> <406505205.1959745.1618397253247@mail.yahoo.com> <1433467435.2017681.1618409383479@mail.yahoo.com> Message-ID: Comments inline. Pauli On 15/4/21 12:09 am, Bala Duvvuri wrote: > HI Paul, > > Thanks a lot for your response, thank you for pointing to > /providers/implementations/rands/test_rng.c and the code to run NIST test. > > Still finding it a bit difficult to wrap around these new APIs > > In the old implementation using OpenSSL 1.1.1, to generate random numbers: > > a> we have set the callback for custom entropy (using > RAND_DRBG_set_callbacks) for the RAND_DRBG_get0_master() DRBG instance > (DRBG defaulted to CTR mode) > b> Also we have set the personalization string using > RAND_DRBG_instantiate and the reseed interval to 1 using > RAND_DRBG_set_reseed_interval for both master and public/private DRBG > c> RAND_bytes is used to avail random numbers. > > ""In summary, we want to use the CTR_DRBG implementation and provide > our custom entropy/nonce from hardware"" > > I am not sure if my understanding is clear, can you please let me know > this basic question how to go about this in OpenSSL 3.0? > > 1>Will I be able to use the built in DRBG and set a new custom > provider for the built in DRBG as parent? Yes, exactly.? This is what I've been saying. > 2> OR, is this the approach I need to follow > > rand = EVP_RAND_fetch(NULL, "CTR-DRBG", NULL); > > Can you let me know how can I link this "rand" to new parent that I > setup ? You can't link DRBG's to parents after creation.? This code will use the OpenSSL built in entropy source and you won't be able to change it. > > 3> >> The built in DRBG's don't need the nonce, they will act as per > SP800-90Ar1 section 9.1 with a nonce available from their parent. > /providers/implementations/rands/seed_src.c is the OpenSSL seed source > and it doesn't supply nonces. > > So does the built in DRBG need a nonce as above statements are > contradictory? It can accept a nonce.? However, if one isn't provided it uses a random once grabbed from it's parent via the generate call.? The latter path is easier. > 4> Also, where is the drbg_data defined/looked up in this case for the > test data vectors > > 0 acvp_test.c 1341 const struct drbg_st *tst = &drbg_data[id]; > 1 acvp_test.c 1468 ADD_ALL_TESTS(drbg_test, OSSL_NELEM(drbg_data)); Try: grep drbg_data test/* > Thanks > Bala > > On Wednesday, 14 April, 2021, 05:02:22 pm IST, Dr Paul Dale > wrote: > > > For setting up a parent for a DRBG, look at > /providers/implementations/rands/test_rng.c which produces seed > material (test_rng_generate) and nonces (test_rng_nonce).? The built > in DRBG's don't need the nonce, they will act as per SP800-90Ar1 > section 9.1 with a nonce available from their parent. > /providers/implementations/rands/seed_src.c is the OpenSSL seed source > and it doesn't supply nonces. > > For the CAVS tests, look at test/acvp_test.c or test/evp_test.c which > both include code to run NISTs tests. > > > Pauli > > On 14/4/21 8:47 pm, Bala Duvvuri wrote: > 1> >>The best way to do this, is to create a provider which acts as a > seed source and to then use this as the parent of the primary DRBG. > See, for example, test/testutil/fakerandom.c for how to do this. The > key is to set up the seed source before the RNG subsystem is first used. > > In our case we provide the entropy and nonce from hardware sources (as > its on embedded platform) as requested by DRBG in older version. > Now, if we setup a custom provider and use it as parent of the primary > DRBG, its not clear how the entropy and nonce from this provider will > be accessed, which API is invoked for the entropy/nonce consumption > (any specific callbacks set)? Can you please explain the steps or > example of the usage? > > 2> Also, we need set DRBG for CAVS test (Input: EntropyInput, Nonce, > PersonalizationString, AdditionalInput, EntropyInputPR, > AdditionalInput, EntropyInputPR), with OpenSSL 1.1.1, the below steps > were done: > > RAND_DRBG_new(NID_aes_256_ctr, RAND_DRBG_FLAGS, NULL); > RAND_DRBG_set_callbacks // This will setup to return the provided > entropy and nonce inputs > RAND_DRBG_instantiate // Pass personalization string. > RAND_DRBG_generate > > Can you kindly let me know the equivalent steps with OpenSSL 3.0? > > > Thank you for your help in this. > > Thanks > Bala > > On Wednesday, 24 March, 2021, 11:56:18 am IST, Dr Paul Dale > wrote: > > > RAND_add() forces a reseed to the DRBGs and uses the passed material > (not as entropy but as additional input). > > EVP_RAND_reseed() is a more direct interface but remember that the > built in DRBGs are free to ignore what the user claims is /entropy/. > History has shown us time and again that /entropy/ is often anything but. > > The *best* way to do this, is to create a provider which acts as a > seed source and to then use this as the parent of the primary DRBG.? > See, for example, test/testutil/fakerandom.c for how to do this.? The > key is to set up the seed source before the RNG subsystem is first used. > > If you simply want to replace the built-in DRBGs with a real random > source, create a provider and set the appropriate environment/config > variables. > > > Pauli > > > On 24/3/21 4:14 pm, Bala Duvvuri via openssl-users wrote: >> Hi All,In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for entropy and nonce generation.How can this be achieved with EVP_RAND implementation i.e. does it allow entropy to be provided? ThanksBala > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sunil.Paramashivaiah at rbbn.com Thu Apr 15 04:30:46 2021 From: Sunil.Paramashivaiah at rbbn.com (Paramashivaiah, Sunil) Date: Thu, 15 Apr 2021 04:30:46 +0000 Subject: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY In-Reply-To: <55526c04ddbbc19fa51a97c904c82beaa621d21c.camel@taygeta.com> References: , <55526c04ddbbc19fa51a97c904c82beaa621d21c.camel@taygeta.com> Message-ID: Hi Skip Carter, Thanks for your reply. I replaced the code as you suggested, but I am getting below errors. It looks like I can't use RSA related APIs and data structures with Openssl 3.0.Please suggest if you know how to resolve these. I have included headers #include ,#include ,#include and #include error: 'RSA' was not declared in this scope RSA *rsa = NULL; ^~~ error: 'rsa' was not declared in this scope RSA *rsa = NULL; ^~~ note: suggested alternative: 'read' RSA *rsa = NULL; ^~~ read error: 'PEM_read_bio_RSAPublicKey' was not declared in this scope rsa = PEM_read_bio_RSAPublicKey(keybio, NULL, NULL, NULL); ^~~~~~~~~~~~~~~~~~~~~~~~~ note: suggested alternative: 'PEM_read_bio_PrivateKey' rsa = PEM_read_bio_RSAPublicKey(keybio, NULL, NULL, NULL); ^~~~~~~~~~~~~~~~~~~~~~~~~ PEM_read_bio_PrivateKey error: 'EVP_PKEY_assign_RSA' was not declared in this scope EVP_PKEY_assign_RSA(evpkey, rsa); ^~~~~~~~~~~~~~~~~~~ note: suggested alternative: 'EVP_PKEY_assign_DSA' EVP_PKEY_assign_RSA(evpkey, rsa); ^~~~~~~~~~~~~~~~~~~ Thanks and Regards, Sunil ________________________________ From: Skip Carter Sent: 14 April 2021 20:58 To: Paramashivaiah, Sunil Subject: Re: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY NOTICE: This email was received from an EXTERNAL sender. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 I accomplished this with: RSA *rsa = NULL; rsa = PEM_read_bio_RSAPublicKey(keybio,NULL,0,NULL); pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey,rsa); On Wed, 2021-04-14 at 11:26 +0000, Paramashivaiah, Sunil wrote: > NEW CODE: > > EVP_PKEY *evpkey = NULL; > BIO *keybio ; > keybio = BIO_new_mem_buf((void*)key, -1); > > if (!keybio) > { > return NULL; > } > > if ( isPKCS1 == false ) > { > evpkey = PEM_read_bio_PUBKEY(keybio, NULL, NULL, NULL); > } > else > { > // PROBLEM: what is the alternate API to replace PEM_read_bio_RSAPublicKey > > } > -------------------------------------------------------------------------------------- > ----------------------------------------------------------------------------------- > > > > Thanks and Regards, > Sunil > > From: openssl-users on behalf of > openssl-users-request at openssl.org > Sent: 12 April 2021 22:12 > To: openssl-users at openssl.org > Subject: openssl-users Digest, Vol 77, Issue 20 > > NOTICE: This email was received from an EXTERNAL sender. > > > Send openssl-users mailing list submissions to > openssl-users at openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > > https://clicktime.symantec.com/37QJxo4UvenQwPJPNZ1QT2K6H2?u=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users > or, via email, send a message with subject or body 'help' to > openssl-users-request at openssl.org > > You can reach the person managing the list at > openssl-users-owner at openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > 1. Re: EVP_MAC_init() in 3.0 alpha 13 (Hal Murray) > 2. Re: EVP_MAC_init() in 3.0 alpha 13 (Tomas Mraz) > 3. Re: error: redefinition of ?struct rsa_meth_st? (Shariful Alam) > 4. Re: PEM_read_bio_RSAPublicKey equivalent API which returns > EVP_PKEY (Richard Levitte) > 5. Re: error: redefinition of ?struct rsa_meth_st? (Matt Caswell) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 12 Apr 2021 05:48:57 -0700 > From: Hal Murray > To: Dr Paul Dale > Cc: openssl-users at openssl.org > Subject: Re: EVP_MAC_init() in 3.0 alpha 13 > Message-ID: > <20210412124857.623AB40605C at ip-64-139-1-69.sjc.megapath.net> > Content-Type: text/plain; charset=us-ascii > > > > Did you attempt to pass NULL for the key and zero for it's length to the > > EVP_MAC_init() call? > > Yes. > > We can do better. If we have to use dup/free, we can move the EVP_MAC_init() > to before the dup, out of the timing path. > > My model is that initialization is 2 parts. The first is turning the key into > a big table. The second is initializing a small amount of state that is > whatever is needed/updated by EVP_MAC_update(). > > I was hoping that EVP_MAC_init() with NULL key would bypass the first step and > do the second. > > If the second step involves a lot of computation we get into the space/time > tradeoff of computing it during step one and saving it in case EVP_MAC_init is > called with NULL key. > > If there was a copy operation we could use it instead of dup/free. > > Where is the code that does the key setup? I expect it will be obvious after > I see it, but I don't know my way around that linkage yet. I'm using the > default AES-128-CBC. > > --------- > > I don't think I've said it explicitly, but thanks for the change to the API > for EVP_MAC_init() > > ---------- > > Should PKEY be a potentially interesting approach for something like this? I > think it was suggested months ago. One advantage is that the code works with > 1.1.1. > > It's horribly slow in 3.0 > > alpha14: > 0.777 CMAC > 7.533 PKEY > 3.323 PKEY preload > 0.392 EVP_MAC > 0.308 EVP_MAC Preload with dup+free > 0.102 EVP_MAC Preload (no dup, wrong answer) > > 1.1.1k: > 0.285 CMAC > 0.550 PKEY > 0.196 PKEY preload > > > > -- > These are my opinions. I hate spam. > > > > > > ------------------------------ > > Message: 2 > Date: Mon, 12 Apr 2021 15:05:37 +0200 > From: Tomas Mraz > To: Hal Murray , Dr Paul Dale > > Cc: openssl-users at openssl.org > Subject: Re: EVP_MAC_init() in 3.0 alpha 13 > Message-ID: > <348b006ceb83fd4301438cbb0c57b473a4f4ef23.camel at openssl.org> > Content-Type: text/plain; charset="UTF-8" > > On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote: > > > Did you attempt to pass NULL for the key and zero for it's length > > > to the > > > EVP_MAC_init() call? > > > > Yes. > > > > We can do better. If we have to use dup/free, we can move the > > EVP_MAC_init() > > to before the dup, out of the timing path. > > > > My model is that initialization is 2 parts. The first is turning the > > key into > > a big table. The second is initializing a small amount of state that > > is > > whatever is needed/updated by EVP_MAC_update(). > > > > I was hoping that EVP_MAC_init() with NULL key would bypass the first > > step and > > do the second. > > We would have to introduce the special semantics similar to > EVP_CipherInit() with EVP_MAC_init(). I.e., that the EVP_CipherInit() > with NULL key keeps the key schedule from the previous initialization. > > > If the second step involves a lot of computation we get into the > > space/time > > tradeoff of computing it during step one and saving it in case > > EVP_MAC_init is > > called with NULL key. > > > > If there was a copy operation we could use it instead of dup/free. > > I do not think we want to introduce the copy operation. We are trying > to get out of the copy() pattern as it is much harder to handle > correctly than the dup(). > > > Where is the code that does the key setup? I expect it will be > > obvious after > > I see it, but I don't know my way around that linkage yet. I'm using > > the > > default AES-128-CBC. > > > > --------- > > > > I don't think I've said it explicitly, but thanks for the change to > > the API > > for EVP_MAC_init() > > > > ---------- > > > > Should PKEY be a potentially interesting approach for something like > > this? I > > think it was suggested months ago. One advantage is that the code > > works with > > 1.1.1. > > > > It's horribly slow in 3.0 > > > > alpha14: > > 0.777 CMAC > > 7.533 PKEY > > 3.323 PKEY preload > > 0.392 EVP_MAC > > 0.308 EVP_MAC Preload with dup+free > > 0.102 EVP_MAC Preload (no dup, wrong answer) > > > > 1.1.1k: > > 0.285 CMAC > > 0.550 PKEY > > 0.196 PKEY preload > > > > > > > -- > Tom?? Mr?z > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > [You'll know whether the road is wrong if you carefully listen to your > conscience.] > > > > > ------------------------------ > > Message: 3 > Date: Mon, 12 Apr 2021 10:32:32 -0600 > From: Shariful Alam > To: Dr Paul Dale > Cc: openssl-users at openssl.org > Subject: Re: error: redefinition of ?struct rsa_meth_st? > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > Dr. Pauli, > Goodmorning. Thank you for replying. I found the documentation a bit > difficult for me to understand. I was wondering if you can direct me to a > sample skeleton code for creating a custom RSA engine. > > Regards, > Shariful Alam > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale wrote: > > > You shouldn't be accessing the internal of a private structure. That > > structure was made private for a reason and duplicating it in your engine > > will break when we change the structure's contents. > > > > Your engine should be using the EVP_PKEY_meth_set_* function to do what > > you want (for 1.1.1). For 3.0, you should be writing a provider instead. > > > > > > Pauli > > > > On 12/4/21 5:04 am, Shariful Alam wrote: > > > > Hello, > > Hope you guys are doing well. I'm trying to develop an RSA engine. My > > engine was somewhat working until I try to integrate my engine with an > > apache httpd server. After installing the httpd from the source code, it > > turns out that, I can't compile my engine anymore. I get the > > following error while I try to compile (it was compiling before and I did > > not make any changes to my engine code). > > > > ============================== > > > > *$gcc -fPIC -c r_engine.c* > > > > > > > > > > > > > > *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? struct > > rsa_meth_st { ^ In file included from > > /usr/include/openssl/crypto.h:131:0, from r_engine.c:7: > > /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > > typedef struct rsa_meth_st RSA_METHOD;* > > > > ============================= > > > > and my *struct rsa_meth_st *looks like the following, > > > > > > ================================================================================ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *struct rsa_meth_st { const char *name; int (*rsa_pub_enc) (int > > flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); > > int (*rsa_pub_dec) (int flen, const unsigned char *from, unsigned char > > *to, RSA *rsa, int padding); int (*rsa_priv_enc) (int flen, const > > unsigned char *from, unsigned char *to, RSA *rsa, int padding); int > > (*rsa_priv_dec) (int flen, const unsigned char *from, unsigned char *to, > > RSA *rsa, int padding); int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM > > *I, RSA *rsa, BN_CTX *ctx); int (*bn_mod_exp) (BIGNUM *r, const BIGNUM > > *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > > int (*init) (RSA *rsa); int (*finish) (RSA *rsa); int flags; > > char *app_data; int (*rsa_sign) (int type, const unsigned char *m, > > unsigned int m_length, unsigned char *sigret, unsigned int *siglen, const > > RSA *rsa); int (*rsa_verify) (int dtype, const unsigned char *m, > > unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, > > const RSA *rsa); int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, > > BN_GENCB *cb); }; * > > > > > > ================================================================================= > > > > My sample skeleton code is here > https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > > > > Can anyone please tell me what I'm I doing wrong? > > > > Regards, > > Shariful Alam > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://clicktime.symantec.com/3swRYpsU9KK78WoSiSrAfr6H2?u=https%3A%2F%2Fmta.openssl.org%2Fpipermail%2Fopenssl-users%2Fattachments%2F20210412%2F3eab5997%2Fattachment-0001.html > > > > ------------------------------ > > Message: 4 > Date: Mon, 12 Apr 2021 18:34:51 +0200 > From: Richard Levitte > To: "openssl-users at openssl.org" > Subject: Re: PEM_read_bio_RSAPublicKey equivalent API which returns > EVP_PKEY > Message-ID: <87h7kba2c4.wl-levitte at openssl.org> > Content-Type: text/plain; charset=US-ASCII > > On Mon, 12 Apr 2021 06:24:32 +0200, > Paramashivaiah, Sunil wrote: > > > > But, I couldn't find equivallent API to replace "PEM_read_bio_RSAPublicKey" to get > EVP_PKEY for > > creating EVP ctx(EVP_PKEY_CTX_new) to use in "EVP_PKEY_encrypt" and > "EVP_PKEY_decrypt". > > I believe that one of these functions would help you: > > EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e); > > EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_pkey(OSSL_LIB_CTX *libctx, > EVP_PKEY *pkey, const char *propquery); > > Cheers, > Richard > > -- > Richard Levitte levitte at openssl.org > OpenSSL Project > https://clicktime.symantec.com/3Mg1WCF9H66r4CYkJ5HJcfU6H2?u=http%3A%2F%2Fwww.openssl.org%2F~levitte%2F > > > ------------------------------ > > Message: 5 > Date: Mon, 12 Apr 2021 17:42:20 +0100 > From: Matt Caswell > To: openssl-users at openssl.org > Subject: Re: error: redefinition of ?struct rsa_meth_st? > Message-ID: > Content-Type: text/plain; charset=utf-8; format=flowed > > You can look at the dummy async engine which wraps the standard RSA > functions inside an engine (as well as various other crypto primitives). > You can see it here: > > https://clicktime.symantec.com/36mWBLRZPoyFNTFYDsD2yZ26H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_1_1_1-stable%2Fengines%2Fe_dasync.c > > Matt > > On 12/04/2021 17:32, Shariful Alam wrote: > > Dr. Pauli, > > Goodmorning. Thank you for replying. I found the documentation a bit > > difficult for me to understand. I was wondering if you can direct me to > > a sample skeleton code for creating a custom RSA engine. > > > > Regards, > > Shariful Alam > > > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > > wrote: > > > > You shouldn't be accessing the internal of a private structure. That > > structure was made private for a reason and duplicating it in your > > engine will break when we change the structure's contents. > > > > Your engine should be using the EVP_PKEY_meth_set_* function to do > > what you want (for 1.1.1).? For 3.0, you should be writing a > > provider instead. > > > > > > Pauli > > > > On 12/4/21 5:04 am, Shariful Alam wrote: > >> Hello, > >> Hope you guys are doing well. I'm trying to develop an RSA engine. > >> My engine was somewhat working until?I try to integrate my engine > >> with an apache httpd server. After installing the httpd from the > >> source code, it turns out that, I can't compile my engine anymore. > >> I get the following?error while I try to compile (it was compiling > >> before and I did not make any changes to my engine code). > >> > >> ============================== > >> > >> *$gcc -fPIC -c r_engine.c* > >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? > >> ?struct rsa_meth_st { > >> ? ? ? ? ^ > >> In file included from /usr/include/openssl/crypto.h:131:0, > >> ? ? ? ? ? ? ? ? ?from r_engine.c:7: > >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > >> ?typedef struct rsa_meth_st RSA_METHOD;* > >> > >> ============================= > >> > >> and my *struct rsa_meth_st *looks like the following, > >> > >> > ================================================================================ > >> > >> *struct rsa_meth_st { > >> > >> ? ? const char *name; > >> ? ? int (*rsa_pub_enc) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> ? ? int (*rsa_pub_dec) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> ? ? int (*rsa_priv_enc) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> ? ? int (*rsa_priv_dec) (int flen, const unsigned char *from, > >> unsigned char *to, RSA *rsa, int padding); > >> > >> ? ? int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, > >> BN_CTX *ctx); > >> > >> ? ? int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM > >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > >> > >> ? ? int (*init) (RSA *rsa); > >> > >> ? ? int (*finish) (RSA *rsa); > >> > >> ? ? int flags; > >> > >> ? ? char *app_data; > >> > >> ? ? int (*rsa_sign) (int type, const unsigned char *m, unsigned > >> int m_length, unsigned char *sigret, unsigned int *siglen, const > >> RSA *rsa); > >> > >> ? ? int (*rsa_verify) (int dtype, const unsigned char *m, unsigned > >> int m_length, const unsigned char *sigbuf, unsigned int siglen, > >> const RSA *rsa); > >> > >> ? ? int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); > >> > >> }; > >> * > >> > >> > ================================================================================= > >> > >> My sample skeleton code is here > https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > >> < > https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > > > >> > >> Can anyone please tell me what I'm I doing wrong? > >> > >> Regards, > >> Shariful Alam > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://clicktime.symantec.com/37QJxo4UvenQwPJPNZ1QT2K6H2?u=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users > > > ------------------------------ > > End of openssl-users Digest, Vol 77, Issue 20 > ********************************************* > > Notice: This e-mail together with any attachments may contain information of Ribbon > Communications Inc. and its Affiliates that is confidential and/or proprietary for the > sole use of the intended recipient. Any review, disclosure, reliance or distribution > by others or forwarding without express permission is strictly prohibited. If you are > not the intended recipient, please notify the sender immediately and then delete all > copies, including any attachments. - -- Dr Everett (Skip) Carter 0x8176163B skip at taygeta.com Taygeta Scientific Inc 607 Charles Ave Seaside CA 93955 831-641-0645 x103 -----BEGIN PGP SIGNATURE----- iQGzBAEBCQAdFiEEyBZyWQiIsOIlHndA43NIE4F2FjsFAmB3CjsACgkQ43NIE4F2 FjvGlQwAko3nDOgXdfjQaNN6S5+zQSjJW0K6KPURBDDpw0vzSjdynk0DmsapamV4 BWdAaNkp2JobuNQqJOG67dKvKXkK2Ov1uXfja92mJ93C+h592qJAUMGpOgND2Uux 9o4mkUVGhvOA3P4C9civXtHajZKAkW4atqRhT/2lv6QLYPX0w6aSNUqPDYfWDKXN qK1mI+zvz1v6NBoLAbtNbdsHk8maELsfhnfKFwJhRfDjFD1yCXQvvXxzPLn2NKld Wu7jSz6txs27I8V75F1915mymmscn+lm6cssjSPkNYZVqETOVXZbBPTNeVFw+/em rPFCuy7RDZbFgjfEOY9FnDuJVo5qH53e8xAyRVdMP09gb6r5Med4a/qYXJBTYcth s7SeCgfNW1Kv8zaqDehqLrsYAlX4A9swUa0beQGVZWcazEbJb+YvTa+wv2yhVUwo 7TcX8fZ7sJuIvZHL0cY/24BxuF59MbQmxXSp1x6ZWSrLsQE9cqf4DIE/7pAIZACL zRvFjYnZ =g8q8 -----END PGP SIGNATURE----- Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From fabpet at gmail.com Thu Apr 15 10:30:33 2021 From: fabpet at gmail.com (Fabio) Date: Thu, 15 Apr 2021 12:30:33 +0200 Subject: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL 1.1.1j In-Reply-To: References: Message-ID: Hi all, I apologize but I just figured out that the problem is not the stack as i supposed. I tried a i2d_X509 and i2d_X509_bio and the output DER certificate i was pushing in is broken... How is it possible? Clearly I read it from a file so it could be broken in the d2i version too... Il giorno mer 14 apr 2021 alle ore 09:44 Fabio ha scritto: > Thank you, > It is a very useful resource but my problem is actually a wrong conversion > of the stack of structures to ASN1 SEQUENCE in DER. > What actually changed between 1.0.2 and 1.1.1? > Thanks > F > > Il giorno mar 13 apr 2021 alle ore 14:38 Floodeenjr, Thomas < > thomas_floodeenjr at mentor.com> ha scritto: > >> Hello, >> >> >> >> Are there any clues for you here? >> >> >> >> >> https://wiki.tizen.org/Security/Tizen_5.X_Migration_from_OpenSSL_1.0.2_to_OpenSSL_1.1.1_guide >> >> >> >> -Tom >> >> >> >> *From:* openssl-users *On Behalf Of * >> Fabio >> *Sent:* Tuesday, April 13, 2021 12:59 AM >> *To:* openssl-users at openssl.org >> *Subject:* Re: Help with i2d_CMS_bio_stream from OpenSSL 1.0 to OpenSSL >> 1.1.1j >> >> >> >> Hi, >> >> no one have some hints? >> >> >> >> Il giorno gio 8 apr 2021 alle ore 10:53 Fabio ha >> scritto: >> >> Hi all, >> >> I have a problem upgrading my code from openssl 1.0 to the last 1.1.1j. >> >> Using an older version, I exported the CMS code in order to extend and >> modify some calculations. I used i2d_CMS_bio_stream to convert the struct >> to DER. >> >> >> >> Using OpenSSL 1.1.1j i had to change all the DECLARE_STACK_OF in >> DEFINE_STACK_OF but now, i2d_CMS_bio_stream produces a broken DER. In >> particular when in the code i add a stack to the structure and push some >> struct into the stack, i2d_CMS_bio_stream does not write correctly the >> SEQUENCE (instead i get some 0x06 0x82 0x30 0x82)... >> >> >> >> What should i do to fix this? >> >> Thanks. >> >> >> >> FP >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From michal.moravec at logicworks.cz Thu Apr 15 10:57:37 2021 From: michal.moravec at logicworks.cz (Michal Moravec) Date: Thu, 15 Apr 2021 10:57:37 +0000 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> Message-ID: Follow-up on my previous email: I modified my proof-of-problem program to load PKCS7 file into PKCS7 and convert it to CMS_ContentInfo using the BIO (See convert.c in the attachment). It is similar to this: handle_encrypted_content(SCEP *handle, SCEP_DATA *data, PKCS7 *p7env, X509 *dec_cert, EVP_PKEY *dec_key) { ... CMS_ContentInfo *cmsMessage = NULL; BIO *convert = NULL; conversion = BIO_new(BIO_s_mem()); PEM_write_bio_PKCS7(conversion, p7env); cmsEnv = PEM_read_bio_CMS(conversion, NULL, NULL, NULL); CMS_decrypt(cmsEnv, dec_key, dec_cert, NULL, decData, 0); convert.c works well with my test data and CMS_decrypt successfully decrypts the CMS_ContentInfo. When I put this code into practice = using it in the actual library -> https://github.com/EtneteraLogicworks/libscep/commit/d94a24b28fcf3a1c1f0dc5e48e274627eed2b3f6 Calling CMS_decrypt results in segfault inside libcrypto library: Apr 15 12:08:36 scepdev kernel: openxpkid (main[759]: segfault at ffffffffac6d8cd0 ip 00007f6b4d3040a0 sp 00007ffde9477738 error 5 in libcrypto.so.1.1[7f6b4d29c000+19e000] I have no idea how to debug this :-( Way out of my league here. MM On 13. 4. 2021, at 16:07, Michal Moravec > wrote: Hey Eliot, Thank you for the PKCS7 vs CMS info. # The test you might try wrapping this stuff in PHP I don't use PHP so I decided to do it C. I was able to confirm my suspicion about PKCS7_decrypt not being able to decrypt message where RSA is used with OAEP padding! There are two programs attached (+ scep.h header file they both use): - pkcs7.c is based on code from libscep library I mentioned. - cms.c is very similar to pkcs7.c. I've only replaced the PKCS7 methods and data structures for CMS equivalents. For them to work you need files named "scep.key", "scep.pem" and "pkimessage.p7b" present in current working directory <- I was lazy to use args. My test files are also attached: - pkimessage_rsa.p7b <- RSA encryption (Possibly with PKCS 1.5 padding?) is used. Both pkcs7.c and cms.c are able to decrypt the payload. - pkimessage_rsaoaep.p7b <- RSA encryption with OAEP padding is used. Only cms.c is able to decrypt the payload. - scep.key and scep.pem (SCEP service certificate and private key I use for testing). # How to fix my problem There are multiple routes for me to solve this problem: 1. Convince SCEP client vendor (VMware) to let me configure encryption algorithm types or revert the change altogether (Still don't know if it was intentional). 2. Report this as a bug to OpenSSL and hope it gets fixed. 3. Replace the PKCS7_decrypt for CMS_decrypt in the libscep library. ## (1) I have opened a ticket with their support week ago but it is _very_ hard to get hold of someone who has any idea what I am talking about. ## (2) Back to my question from the original email. If it is indeed not capable of doing that would it be a bug or desired behavior? Should I report this as a bug? If yes is there any chance this might be fixed soon (meaning in 1.1.1 branch instead of 3.0)? ## (3) This is something I can do myself but there are two approaches. A. Easy. Replace only PKCS7_decrypt method for CMS_decrypt method. B. Hard. Rework the entire library to use CMS instead of PKCS7. I would very like to go for the Easy choice here for two reasons. I am not able to do proper testing for such massive change. For the same reason (plus one other) it is not very likely the big change would be accepted upstream -> It there an easyway to convert PKCS7 struct into CMS_ContentInfo struct? OR If there is not an easy way what would be a hard way to do it? Michal Moravec On 12. 4. 2021, at 19:24, Eliot Lear > wrote: Hi Michal, CMS has limited backward compatibility with PKCS#7. This is discussed in RFC 5652, and includes some suggestions as to how to some issues that might crop up. At least the old draft of SCEP very specifically does NOT specify CMS, but that might not have stopped someone from using it. These docs tend to be quite sloppy. For example, I know one that uses both PEM and DER encodings on the wire. Drives me batty. For enrolment this is particularly embarrassing, considering its sensitivity. As a sysadmin, you might try wrapping this stuff in PHP and just trying both the pkcs_decrypt and cms_decrypt calls and seeing if either work. Eliot On 12.04.21 14:13, Michal Moravec wrote: Hello, I am a system administrator trying to integrate two pieces of software using the SCEP protocol (more on that later in the More Context section) . Integration was working but one side (SaaS product) changed the algorithms it uses for signing and encryption within the PKCS7 message. After that I am unable to decrypt the PKCS7 messages on my end and get the error: "ERROR 139701710696896:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:597: message_static_functions.c:221: decryption failed" >From my current state of investigation it looks highly likely there is a problem with PKCS7_decrypt method which might be unable decrypt the PKCS7/CMS payload if the RSA is used together with OAEP padding. 1. What is a diffrences between pkcs7 https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7 and CMS https://github.com/openssl/openssl/tree/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/cms implementations? If I understand correctly CMS is just newer name for PKCS7 adopted by newer RFCs? Do these two implementations overlap? Or are there some kind of major diffrence like PKCS7 module being there for compatibility with older code and CMS is basically replacement to use for the future? 2. Is PKCS7_decrypt method in https://github.com/openssl/openssl/blob/681618cfc18b4f01f2c07e823308d30f6f47504b/crypto/pkcs7/pk7_smime.c capable of decrypting the PKCS7 payload whebf OAEP padding is used together with RSA to encrypt it? If it is indeed not capable of doing that would it be a bug or desired behavior? If found a few pointers: - https://stackoverflow.com/questions/56941480/how-to-set-padding-oaep-for-pkcs7-decrypt-function-using-openssl <- Developer is unable to use PKCS7_decrypt with RSA OAEP and forced to switch to CMS_decrypt method. - https://stackoverflow.com/questions/34304570/how-to-resolve-the-evp-decryptfinal-ex-bad-decrypt-during-file-decryption <- Padding being a source problem of EVP_DecryptFinal_ex:bad decrypt error message. 3. How to replace PKCS7_decrypt method CMS_decrypt as easily as possible? I have no hard proof of the PKCS7_decrypt being the culprit here so I started working on simple C program to reproduce the issue. Problem is my C skills are very rusty and I have no experience working with OpenSSL C library. int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags); int CMS_decrypt (CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont, BIO *out, unsigned int flags); Methods are very similiar but input data format it different. It there an easyway to convert PKCS7 struct into CMS_ContentInfo struct? Original usage of PKCS7_decrypt here -> https://github.com/openxpki/libscep/blob/4067eae283ce0b3025d414e9d3b6af30def8c093/src/message_static_functions.c # More Context My goal is to obtain signed client certificate using the SCEP protocol. SCEP server: OpenXPKI https://github.com/openxpki/openxpki (Perl) with libscep https://github.com/openxpki/libscep library (C). libscep used the OpenSSL. SCEP client: VMware Workspace ONE UEM SaaS (WSO). Black box. From the error codes client produces I strongly suspect they use OpenSSL within .Net code. Originally WSO SCEP client used these three algorithms for PKCS7 operation: SHA-1, RSA (PKCS 1.5 padding or no padding <- can't tell which) and 3DES-CBC. They made some sort of change (unannouced) and since the last SaaS upgdate WSO client uses SHA-2 (256bit), RSA with OAEP padding and AES-256-CBC. Compare the attached PKCS7 messages (libscep_wso*.p7b). I use https://lapo.it/asn1js to decode them easily. After the change I am unable to decrypt the PKIOperation message on the server side. I suspect the RSA with OAEP is the cause of the problem because using different client with SHA-256, AES-256-CBC and RSA decryption works without any problem (libscep_sscep_ok.p7b). Best Regards, Michal Moravec -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: scep.h Type: application/octet-stream Size: 9768 bytes Desc: scep.h URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: convert.c Type: application/octet-stream Size: 2876 bytes Desc: convert.c URL: From jb-openssl at wisemo.com Thu Apr 15 12:01:59 2021 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 15 Apr 2021 14:01:59 +0200 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> Message-ID: On 2021-04-15 12:57, Michal Moravec wrote: > Follow-up on my previous email: > > I modified my proof-of-problem program to load PKCS7 file into PKCS7 > and convert it to CMS_ContentInfo using the BIO (See convert.c in the > attachment). It is similar to this: > >> handle_encrypted_content(SCEP *handle, SCEP_DATA *data, PKCS7 *p7env, >> X509 *dec_cert, EVP_PKEY *dec_key) { >> ... >> CMS_ContentInfo *cmsMessage = NULL; >> BIO *convert = NULL; >> conversion = BIO_new(BIO_s_mem()); >> PEM_write_bio_PKCS7(conversion, p7env); >> cmsEnv = PEM_read_bio_CMS(conversion, NULL, NULL, NULL); >> CMS_decrypt(cmsEnv, dec_key, dec_cert, NULL, decData, 0); > > convert.c works well with my test data and CMS_decrypt successfully > decrypts the CMS_ContentInfo. > > When I put this code into practice = using it in the actual library -> > https://github.com/EtneteraLogicworks/libscep/commit/d94a24b28fcf3a1c1f0dc5e48e274627eed2b3f6 > Calling CMS_decrypt results in segfault inside libcrypto library: >> Apr 15 12:08:36 scepdev kernel: openxpkid (main[759]: segfault at >> ffffffffac6d8cd0 ip 00007f6b4d3040a0 sp 00007ffde9477738 error 5 in >> libcrypto.so.1.1[7f6b4d29c000+19e000] > > I have no idea how to debug this :-( Way out of my league here. > > Try linking libcrypto.so.1.1 with debug symbols included (not stripped).? This should make the error message point to the function, maybe even show the call stack. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: From michal.moravec at logicworks.cz Thu Apr 15 14:02:51 2021 From: michal.moravec at logicworks.cz (Michal Moravec) Date: Thu, 15 Apr 2021 14:02:51 +0000 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> Message-ID: <22B29DE6-AE3B-4E37-BEDE-122C309D8D7D@logicworks.cz> Thank you for the tip. I replaced the Debian 1.1.1d with 1.1.1.k built from source using ./config -d Using file on the libcrypto.so.1.1 library now shows "with debug_info, not stripped". ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=29204b7f7a988f750cdc94e14be6ad9526c563ef, with debug_info, not stripped Also I recompiled the libscep library with my changes to include the debug symbols as well and installed it into the lib directory. I rebuilt the library cache using ldconfig and rebooted the OS just to be sure. There is no difference in the trace output. Maybe because this is because it is reported by the kernel in the kern.log not the code which made it happen? However I managed to crash one of the libscep tests in very similiar way. I am not sure if its 100% the same problem but it could be. Here is a trace obtained via coredumpctl: PID: 3450 (test_message) UID: 0 (root) GID: 0 (root) Signal: 11 (SEGV) Timestamp: Thu 2021-04-15 15:40:28 CEST (4min 59s ago) Command Line: /root/libscep/build/tests/test_message Executable: /root/libscep/build/tests/test_message Control Group: /user.slice/user-998.slice/session-3.scope Unit: session-3.scope Slice: user-998.slice Session: 3 Owner UID: 998 (testuser) Boot ID: 5867d606efa040f4acb4cf059c5349a2 Machine ID: 5678312713094967b594b42360c03298 Hostname: scepdev Storage: /var/lib/systemd/coredump/core.test_message.0.5867d606efa040f4acb4cf059c5349a2.3450.1618494028000000. Message: Process 3450 (test_message) of user 0 dumped core. Stack trace of thread 3450: #0 0x00007efd1ec4cd70 CMS_get0_type (libcrypto.so.1.1) #1 0x00007efd1ec51a45 CMS_decrypt (libcrypto.so.1.1) #2 0x00007efd1f1ef195 n/a (/root/libscep/build/src/libscep.so) #3 0x00007efd1f1f26d7 n/a (/root/libscep/build/src/libscep.so) #4 0x00007efd1f1f1c09 n/a (/root/libscep/build/src/libscep.so) #5 0x0000555c6c96ab31 n/a (/root/libscep/build/tests/test_message) #6 0x0000555c6c96fcc6 n/a (/root/libscep/build/tests/test_message) I MM Try linking libcrypto.so.1.1 with debug symbols included (not stripped). This should make the error message point to the function, maybe even show the call stack. -------------- next part -------------- An HTML attachment was scrubbed... URL: From skip at taygeta.com Thu Apr 15 15:37:46 2021 From: skip at taygeta.com (Skip Carter) Date: Thu, 15 Apr 2021 08:37:46 -0700 Subject: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY In-Reply-To: References: ,<55526c04ddbbc19fa51a97c904c82beaa621d21c.camel@taygeta.com> Message-ID: <6e9c6390976ab28c4543d8bfe91a3bf870e03fbd.camel@taygeta.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Sunil, Sorry, I didn't notice that you were talking about 3.0. My solution works for 1.1.1i. It looks like I am going to have your problem when I migrate to 3.0 too. On Thu, 2021-04-15 at 04:30 +0000, Paramashivaiah, Sunil wrote: > Hi Skip Carter, > > Thanks for your reply. > I replaced the code as you suggested, but I am getting below errors. > It looks like I can't use RSA related APIs and data structures with Openssl > 3.0.Please suggest if you know how to resolve these. > I have included headers #include ,#include > ,#include and #include > > error: 'RSA' was not declared in this scope > RSA *rsa = NULL; > ^~~ > error: 'rsa' was not declared in this scope > RSA *rsa = NULL; > ^~~ > note: suggested alternative: 'read' > RSA *rsa = NULL; > ^~~ > read > error: 'PEM_read_bio_RSAPublicKey' was not declared in this scope > rsa = PEM_read_bio_RSAPublicKey(keybio, NULL, NULL, NULL); > ^~~~~~~~~~~~~~~~~~~~~~~~~ > note: suggested alternative: 'PEM_read_bio_PrivateKey' > rsa = PEM_read_bio_RSAPublicKey(keybio, NULL, NULL, NULL); > ^~~~~~~~~~~~~~~~~~~~~~~~~ > PEM_read_bio_PrivateKey > error: 'EVP_PKEY_assign_RSA' was not declared in this scope > EVP_PKEY_assign_RSA(evpkey, rsa); > ^~~~~~~~~~~~~~~~~~~ > note: suggested alternative: 'EVP_PKEY_assign_DSA' > EVP_PKEY_assign_RSA(evpkey, rsa); > ^~~~~~~~~~~~~~~~~~~ > > Thanks and Regards, > Sunil > > From: Skip Carter > Sent: 14 April 2021 20:58 > To: Paramashivaiah, Sunil > Subject: Re: PEM_read_bio_RSAPublicKey equivalent API which returns EVP_PKEY > > NOTICE: This email was received from an EXTERNAL sender. > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA384 > > I accomplished this with: > > RSA *rsa = NULL; > > rsa = PEM_read_bio_RSAPublicKey(keybio,NULL,0,NULL); > pkey = EVP_PKEY_new(); > EVP_PKEY_assign_RSA(pkey,rsa); > > > On Wed, 2021-04-14 at 11:26 +0000, Paramashivaiah, Sunil wrote: > > NEW CODE: > > > > EVP_PKEY *evpkey = NULL; > > BIO *keybio ; > > keybio = BIO_new_mem_buf((void*)key, -1); > > > > if (!keybio) > > { > > return NULL; > > } > > > > if ( isPKCS1 == false ) > > { > > evpkey = PEM_read_bio_PUBKEY(keybio, NULL, NULL, NULL); > > } > > else > > { > > // PROBLEM: what is the alternate API to replace PEM_read_bio_RSAPublicKey > > > > } > > ------------------------------------------------------------------------------------ > -- > > ----------------------------------------------------------------------------------- > > > > > > > > Thanks and Regards, > > Sunil > > > > From: openssl-users on behalf of > > openssl-users-request at openssl.org > > Sent: 12 April 2021 22:12 > > To: openssl-users at openssl.org > > Subject: openssl-users Digest, Vol 77, Issue 20 > > > > NOTICE: This email was received from an EXTERNAL sender. > > > > > > Send openssl-users mailing list submissions to > > openssl-users at openssl.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > > > > https://clicktime.symantec.com/37QJxo4UvenQwPJPNZ1QT2K6H2?u=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users > > or, via email, send a message with subject or body 'help' to > > openssl-users-request at openssl.org > > > > You can reach the person managing the list at > > openssl-users-owner at openssl.org > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of openssl-users digest..." > > > > > > Today's Topics: > > > > 1. Re: EVP_MAC_init() in 3.0 alpha 13 (Hal Murray) > > 2. Re: EVP_MAC_init() in 3.0 alpha 13 (Tomas Mraz) > > 3. Re: error: redefinition of ?struct rsa_meth_st? (Shariful Alam) > > 4. Re: PEM_read_bio_RSAPublicKey equivalent API which returns > > EVP_PKEY (Richard Levitte) > > 5. Re: error: redefinition of ?struct rsa_meth_st? (Matt Caswell) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Mon, 12 Apr 2021 05:48:57 -0700 > > From: Hal Murray > > To: Dr Paul Dale > > Cc: openssl-users at openssl.org > > Subject: Re: EVP_MAC_init() in 3.0 alpha 13 > > Message-ID: > > <20210412124857.623AB40605C at ip-64-139-1-69.sjc.megapath.net> > > Content-Type: text/plain; charset=us-ascii > > > > > > > Did you attempt to pass NULL for the key and zero for it's length to the > > > EVP_MAC_init() call? > > > > Yes. > > > > We can do better. If we have to use dup/free, we can move the EVP_MAC_init() > > to before the dup, out of the timing path. > > > > My model is that initialization is 2 parts. The first is turning the key into > > a big table. The second is initializing a small amount of state that is > > whatever is needed/updated by EVP_MAC_update(). > > > > I was hoping that EVP_MAC_init() with NULL key would bypass the first step and > > do the second. > > > > If the second step involves a lot of computation we get into the space/time > > tradeoff of computing it during step one and saving it in case EVP_MAC_init is > > called with NULL key. > > > > If there was a copy operation we could use it instead of dup/free. > > > > Where is the code that does the key setup? I expect it will be obvious after > > I see it, but I don't know my way around that linkage yet. I'm using the > > default AES-128-CBC. > > > > --------- > > > > I don't think I've said it explicitly, but thanks for the change to the API > > for EVP_MAC_init() > > > > ---------- > > > > Should PKEY be a potentially interesting approach for something like this? I > > think it was suggested months ago. One advantage is that the code works with > > 1.1.1. > > > > It's horribly slow in 3.0 > > > > alpha14: > > 0.777 CMAC > > 7.533 PKEY > > 3.323 PKEY preload > > 0.392 EVP_MAC > > 0.308 EVP_MAC Preload with dup+free > > 0.102 EVP_MAC Preload (no dup, wrong answer) > > > > 1.1.1k: > > 0.285 CMAC > > 0.550 PKEY > > 0.196 PKEY preload > > > > > > > > -- > > These are my opinions. I hate spam. > > > > > > > > > > > > ------------------------------ > > > > Message: 2 > > Date: Mon, 12 Apr 2021 15:05:37 +0200 > > From: Tomas Mraz > > To: Hal Murray , Dr Paul Dale > > > > Cc: openssl-users at openssl.org > > Subject: Re: EVP_MAC_init() in 3.0 alpha 13 > > Message-ID: > > <348b006ceb83fd4301438cbb0c57b473a4f4ef23.camel at openssl.org> > > Content-Type: text/plain; charset="UTF-8" > > > > On Mon, 2021-04-12 at 05:48 -0700, Hal Murray wrote: > > > > Did you attempt to pass NULL for the key and zero for it's length > > > > to the > > > > EVP_MAC_init() call? > > > > > > Yes. > > > > > > We can do better. If we have to use dup/free, we can move the > > > EVP_MAC_init() > > > to before the dup, out of the timing path. > > > > > > My model is that initialization is 2 parts. The first is turning the > > > key into > > > a big table. The second is initializing a small amount of state that > > > is > > > whatever is needed/updated by EVP_MAC_update(). > > > > > > I was hoping that EVP_MAC_init() with NULL key would bypass the first > > > step and > > > do the second. > > > > We would have to introduce the special semantics similar to > > EVP_CipherInit() with EVP_MAC_init(). I.e., that the EVP_CipherInit() > > with NULL key keeps the key schedule from the previous initialization. > > > > > If the second step involves a lot of computation we get into the > > > space/time > > > tradeoff of computing it during step one and saving it in case > > > EVP_MAC_init is > > > called with NULL key. > > > > > > If there was a copy operation we could use it instead of dup/free. > > > > I do not think we want to introduce the copy operation. We are trying > > to get out of the copy() pattern as it is much harder to handle > > correctly than the dup(). > > > > > Where is the code that does the key setup? I expect it will be > > > obvious after > > > I see it, but I don't know my way around that linkage yet. I'm using > > > the > > > default AES-128-CBC. > > > > > > --------- > > > > > > I don't think I've said it explicitly, but thanks for the change to > > > the API > > > for EVP_MAC_init() > > > > > > ---------- > > > > > > Should PKEY be a potentially interesting approach for something like > > > this? I > > > think it was suggested months ago. One advantage is that the code > > > works with > > > 1.1.1. > > > > > > It's horribly slow in 3.0 > > > > > > alpha14: > > > 0.777 CMAC > > > 7.533 PKEY > > > 3.323 PKEY preload > > > 0.392 EVP_MAC > > > 0.308 EVP_MAC Preload with dup+free > > > 0.102 EVP_MAC Preload (no dup, wrong answer) > > > > > > 1.1.1k: > > > 0.285 CMAC > > > 0.550 PKEY > > > 0.196 PKEY preload > > > > > > > > > > > -- > > Tom?? Mr?z > > No matter how far down the wrong road you've gone, turn back. > > Turkish proverb > > [You'll know whether the road is wrong if you carefully listen to your > > conscience.] > > > > > > > > > > ------------------------------ > > > > Message: 3 > > Date: Mon, 12 Apr 2021 10:32:32 -0600 > > From: Shariful Alam > > To: Dr Paul Dale > > Cc: openssl-users at openssl.org > > Subject: Re: error: redefinition of ?struct rsa_meth_st? > > Message-ID: > > > > Content-Type: text/plain; charset="utf-8" > > > > Dr. Pauli, > > Goodmorning. Thank you for replying. I found the documentation a bit > > difficult for me to understand. I was wondering if you can direct me to a > > sample skeleton code for creating a custom RSA engine. > > > > Regards, > > Shariful Alam > > > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale wrote: > > > > > You shouldn't be accessing the internal of a private structure. That > > > structure was made private for a reason and duplicating it in your engine > > > will break when we change the structure's contents. > > > > > > Your engine should be using the EVP_PKEY_meth_set_* function to do what > > > you want (for 1.1.1). For 3.0, you should be writing a provider instead. > > > > > > > > > Pauli > > > > > > On 12/4/21 5:04 am, Shariful Alam wrote: > > > > > > Hello, > > > Hope you guys are doing well. I'm trying to develop an RSA engine. My > > > engine was somewhat working until I try to integrate my engine with an > > > apache httpd server. After installing the httpd from the source code, it > > > turns out that, I can't compile my engine anymore. I get the > > > following error while I try to compile (it was compiling before and I did > > > not make any changes to my engine code). > > > > > > ============================== > > > > > > *$gcc -fPIC -c r_engine.c* > > > > > > > > > > > > > > > > > > > > > *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? struct > > > rsa_meth_st { ^ In file included from > > > /usr/include/openssl/crypto.h:131:0, from r_engine.c:7: > > > /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > > > typedef struct rsa_meth_st RSA_METHOD;* > > > > > > ============================= > > > > > > and my *struct rsa_meth_st *looks like the following, > > > > > > > > > ================================================================================ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *struct rsa_meth_st { const char *name; int (*rsa_pub_enc) (int > > > flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); > > > int (*rsa_pub_dec) (int flen, const unsigned char *from, unsigned char > > > *to, RSA *rsa, int padding); int (*rsa_priv_enc) (int flen, const > > > unsigned char *from, unsigned char *to, RSA *rsa, int padding); int > > > (*rsa_priv_dec) (int flen, const unsigned char *from, unsigned char *to, > > > RSA *rsa, int padding); int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM > > > *I, RSA *rsa, BN_CTX *ctx); int (*bn_mod_exp) (BIGNUM *r, const BIGNUM > > > *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > > > int (*init) (RSA *rsa); int (*finish) (RSA *rsa); int flags; > > > char *app_data; int (*rsa_sign) (int type, const unsigned char *m, > > > unsigned int m_length, unsigned char *sigret, unsigned int *siglen, const > > > RSA *rsa); int (*rsa_verify) (int dtype, const unsigned char *m, > > > unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, > > > const RSA *rsa); int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, > > > BN_GENCB *cb); }; * > > > > > > > > > ================================================================================= > > > > > > My sample skeleton code is here > > > https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > > > > > > Can anyone please tell me what I'm I doing wrong? > > > > > > Regards, > > > Shariful Alam > > > > > > > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > > > https://clicktime.symantec.com/3swRYpsU9KK78WoSiSrAfr6H2?u=https%3A%2F%2Fmta.openssl.org%2Fpipermail%2Fopenssl-users%2Fattachments%2F20210412%2F3eab5997%2Fattachment-0001.html > > > > > > > ------------------------------ > > > > Message: 4 > > Date: Mon, 12 Apr 2021 18:34:51 +0200 > > From: Richard Levitte > > To: "openssl-users at openssl.org" > > Subject: Re: PEM_read_bio_RSAPublicKey equivalent API which returns > > EVP_PKEY > > Message-ID: <87h7kba2c4.wl-levitte at openssl.org> > > Content-Type: text/plain; charset=US-ASCII > > > > On Mon, 12 Apr 2021 06:24:32 +0200, > > Paramashivaiah, Sunil wrote: > > > > > > But, I couldn't find equivallent API to replace "PEM_read_bio_RSAPublicKey" to get > > EVP_PKEY for > > > creating EVP ctx(EVP_PKEY_CTX_new) to use in "EVP_PKEY_encrypt" and > > "EVP_PKEY_decrypt". > > > > I believe that one of these functions would help you: > > > > EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e); > > > > EVP_PKEY_CTX *EVP_PKEY_CTX_new_from_pkey(OSSL_LIB_CTX *libctx, > > EVP_PKEY *pkey, const char *propquery); > > > > Cheers, > > Richard > > > > -- > > Richard Levitte levitte at openssl.org > > OpenSSL Project > > > https://clicktime.symantec.com/3Mg1WCF9H66r4CYkJ5HJcfU6H2?u=http%3A%2F%2Fwww.openssl.org%2F~levitte%2F > > > > > > ------------------------------ > > > > Message: 5 > > Date: Mon, 12 Apr 2021 17:42:20 +0100 > > From: Matt Caswell > > To: openssl-users at openssl.org > > Subject: Re: error: redefinition of ?struct rsa_meth_st? > > Message-ID: > > Content-Type: text/plain; charset=utf-8; format=flowed > > > > You can look at the dummy async engine which wraps the standard RSA > > functions inside an engine (as well as various other crypto primitives). > > You can see it here: > > > > > https://clicktime.symantec.com/36mWBLRZPoyFNTFYDsD2yZ26H2?u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_1_1_1-stable%2Fengines%2Fe_dasync.c > > > > Matt > > > > On 12/04/2021 17:32, Shariful Alam wrote: > > > Dr. Pauli, > > > Goodmorning. Thank you for replying. I found the documentation a bit > > > difficult for me to understand. I was wondering if you can direct me to > > > a sample skeleton code for creating a custom RSA engine. > > > > > > Regards, > > > Shariful Alam > > > > > > On Sun, Apr 11, 2021 at 6:00 PM Dr Paul Dale > > > wrote: > > > > > > You shouldn't be accessing the internal of a private structure. That > > > structure was made private for a reason and duplicating it in your > > > engine will break when we change the structure's contents. > > > > > > Your engine should be using the EVP_PKEY_meth_set_* function to do > > > what you want (for 1.1.1).? For 3.0, you should be writing a > > > provider instead. > > > > > > > > > Pauli > > > > > > On 12/4/21 5:04 am, Shariful Alam wrote: > > >> Hello, > > >> Hope you guys are doing well. I'm trying to develop an RSA engine. > > >> My engine was somewhat working until?I try to integrate my engine > > >> with an apache httpd server. After installing the httpd from the > > >> source code, it turns out that, I can't compile my engine anymore. > > >> I get the following?error while I try to compile (it was compiling > > >> before and I did not make any changes to my engine code). > > >> > > >> ============================== > > >> > > >> *$gcc -fPIC -c r_engine.c* > > >> *r_engine.c:29:8: error: redefinition of ?struct rsa_meth_st? > > >> ?struct rsa_meth_st { > > >> ? ? ? ? ^ > > >> In file included from /usr/include/openssl/crypto.h:131:0, > > >> ? ? ? ? ? ? ? ? ?from r_engine.c:7: > > >> /usr/include/openssl/ossl_typ.h:147:16: note: originally defined here > > >> ?typedef struct rsa_meth_st RSA_METHOD;* > > >> > > >> ============================= > > >> > > >> and my *struct rsa_meth_st *looks like the following, > > >> > > >> > > ================================================================================ > > >> > > >> *struct rsa_meth_st { > > >> > > >> ? ? const char *name; > > >> ? ? int (*rsa_pub_enc) (int flen, const unsigned char *from, > > >> unsigned char *to, RSA *rsa, int padding); > > >> ? ? int (*rsa_pub_dec) (int flen, const unsigned char *from, > > >> unsigned char *to, RSA *rsa, int padding); > > >> ? ? int (*rsa_priv_enc) (int flen, const unsigned char *from, > > >> unsigned char *to, RSA *rsa, int padding); > > >> ? ? int (*rsa_priv_dec) (int flen, const unsigned char *from, > > >> unsigned char *to, RSA *rsa, int padding); > > >> > > >> ? ? int (*rsa_mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa, > > >> BN_CTX *ctx); > > >> > > >> ? ? int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM > > >> *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); > > >> > > >> ? ? int (*init) (RSA *rsa); > > >> > > >> ? ? int (*finish) (RSA *rsa); > > >> > > >> ? ? int flags; > > >> > > >> ? ? char *app_data; > > >> > > >> ? ? int (*rsa_sign) (int type, const unsigned char *m, unsigned > > >> int m_length, unsigned char *sigret, unsigned int *siglen, const > > >> RSA *rsa); > > >> > > >> ? ? int (*rsa_verify) (int dtype, const unsigned char *m, unsigned > > >> int m_length, const unsigned char *sigbuf, unsigned int siglen, > > >> const RSA *rsa); > > >> > > >> ? ? int (*rsa_keygen) (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); > > >> > > >> }; > > >> * > > >> > > >> > > ================================================================================= > > >> > > >> My sample skeleton code is here > > > https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > > >> < > > > https://clicktime.symantec.com/33X17gA39DAZvzaTx4AG8ej6H2?u=https%3A%2F%2Fpastebin.com%2FuNXYknEA > > > > > >> > > >> Can anyone please tell me what I'm I doing wrong? > > >> > > >> Regards, > > >> Shariful Alam > > > > > > > > > ------------------------------ > > > > Subject: Digest Footer > > > > _______________________________________________ > > openssl-users mailing list > > openssl-users at openssl.org > > > https://clicktime.symantec.com/37QJxo4UvenQwPJPNZ1QT2K6H2?u=https%3A%2F%2Fmta.openssl.org%2Fmailman%2Flistinfo%2Fopenssl-users > > > > > > ------------------------------ > > > > End of openssl-users Digest, Vol 77, Issue 20 > > ********************************************* > > > > Notice: This e-mail together with any attachments may contain information of Ribbon > > Communications Inc. and its Affiliates that is confidential and/or proprietary for > the > > sole use of the intended recipient. Any review, disclosure, reliance or distribution > > by others or forwarding without express permission is strictly prohibited. If you > are > > not the intended recipient, please notify the sender immediately and then delete all > > copies, including any attachments. > - -- > Dr Everett (Skip) Carter 0x8176163B > skip at taygeta.com > Taygeta Scientific Inc > 607 Charles Ave > Seaside CA 93955 > 831-641-0645 x103 > -----BEGIN PGP SIGNATURE----- > > iQGzBAEBCQAdFiEEyBZyWQiIsOIlHndA43NIE4F2FjsFAmB3CjsACgkQ43NIE4F2 > FjvGlQwAko3nDOgXdfjQaNN6S5+zQSjJW0K6KPURBDDpw0vzSjdynk0DmsapamV4 > BWdAaNkp2JobuNQqJOG67dKvKXkK2Ov1uXfja92mJ93C+h592qJAUMGpOgND2Uux > 9o4mkUVGhvOA3P4C9civXtHajZKAkW4atqRhT/2lv6QLYPX0w6aSNUqPDYfWDKXN > qK1mI+zvz1v6NBoLAbtNbdsHk8maELsfhnfKFwJhRfDjFD1yCXQvvXxzPLn2NKld > Wu7jSz6txs27I8V75F1915mymmscn+lm6cssjSPkNYZVqETOVXZbBPTNeVFw+/em > rPFCuy7RDZbFgjfEOY9FnDuJVo5qH53e8xAyRVdMP09gb6r5Med4a/qYXJBTYcth > s7SeCgfNW1Kv8zaqDehqLrsYAlX4A9swUa0beQGVZWcazEbJb+YvTa+wv2yhVUwo > 7TcX8fZ7sJuIvZHL0cY/24BxuF59MbQmxXSp1x6ZWSrLsQE9cqf4DIE/7pAIZACL > zRvFjYnZ > =g8q8 > -----END PGP SIGNATURE----- > > > Notice: This e-mail together with any attachments may contain information of Ribbon > Communications Inc. and its Affiliates that is confidential and/or proprietary for the > sole use of the intended recipient. Any review, disclosure, reliance or distribution > by others or forwarding without express permission is strictly prohibited. If you are > not the intended recipient, please notify the sender immediately and then delete all > copies, including any attachments. - -- Dr Everett (Skip) Carter 0x8176163B skip at taygeta.com Taygeta Scientific Inc 607 Charles Ave Seaside CA 93955 831-641-0645 x103 -----BEGIN PGP SIGNATURE----- iQGzBAEBCQAdFiEEyBZyWQiIsOIlHndA43NIE4F2FjsFAmB4XcoACgkQ43NIE4F2 FjuCLQwAgeBrdc1eMicsvMxK8k7TkK5BhpZWN6vviNKumhfldhNi+JiqFM7CTfeo EOMZgqVX7GJfm8c6loP9WJ+H+77uxORoFMoAK5ffBML1MMewRGRAFizVW+iIjUx8 gxg0cgAtMZkSRDOd0Rf6796A+iYueqDC9HdgV5VB30mYapGEEDku5NUy5M1NGxcP XkYjkOLLFbuxBmLCu+KDOhsKCrQW3/BA1eYeun3zRE9fVu126OHnsCbOq3knIwlT GWs12fzfl0Rb9xCgcN8ZQaX42zo/4CsH/bNkJFmRZRWUniRTa/2swmXvgVUmRhbR 9X11w0UBcbov3S7H77wc/oB7dbr6oL+LGkkfdIu1wI7M2+KSod+CZR9xKuNi/bCV 2drN2o9qpsv3YnCF4BQ//4Xe58AxRD7ZOf/54A3WVjdMonSHNt2JcUpWynLqxve3 ca1OjMd9K2YvwAZRxgTU+x28fW1on5R3CgRDM31pbhPneJdImXqQAf3yIur76PC7 AZxrTUkE =mtmp -----END PGP SIGNATURE----- From michal.moravec at logicworks.cz Thu Apr 15 15:40:34 2021 From: michal.moravec at logicworks.cz (Michal Moravec) Date: Thu, 15 Apr 2021 15:40:34 +0000 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: <22B29DE6-AE3B-4E37-BEDE-122C309D8D7D@logicworks.cz> References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> <22B29DE6-AE3B-4E37-BEDE-122C309D8D7D@logicworks.cz> Message-ID: <15F2F15A-D05C-494F-90B5-732774836F9B@logicworks.cz> VICTORY! After replacing the PEM_write_bio_PKCS7/PEM_read_bio_CMS methods for i2d_PKCS7_bio/d2i_CMS_bio https://github.com/EtneteraLogicworks/libscep/commit/b16cd6a97c979abd6ca0ab7af7a944ef553cf17d PCKS7 (In this case CMS) decryption now works! Code now looks like: handle_encrypted_content(SCEP *handle, SCEP_DATA *data, PKCS7 *p7env, X509 *dec_cert, EVP_PKEY *dec_key) { ... CMS_ContentInfo *cmsMessage = NULL; BIO *convert = NULL; conversion = BIO_new(BIO_s_mem()); i2d_PKCS7_bio(conversion, p7env); cmsEnv = d2i_CMS_bio(conversion, NULL); CMS_decrypt(cmsEnv, dec_key, dec_cert, NULL, decData, 0); MM -------------- next part -------------- An HTML attachment was scrubbed... URL: From b_duvvuri at yahoo.com Fri Apr 16 08:36:05 2021 From: b_duvvuri at yahoo.com (Bala Duvvuri) Date: Fri, 16 Apr 2021 08:36:05 +0000 (UTC) Subject: OpenSSL 3.0 - providing entropy to EVP_RAND ? In-Reply-To: References: <1644797849.3514421.1616566460759.ref@mail.yahoo.com> <1644797849.3514421.1616566460759@mail.yahoo.com> <1da19067-8dbb-f832-f3bc-79dbd7b84eb8@openssl.org> <406505205.1959745.1618397253247@mail.yahoo.com> <1433467435.2017681.1618409383479@mail.yahoo.com> Message-ID: <313513824.2729971.1618562165693@mail.yahoo.com> Thank you for all the help, got this working. Thanks Bala On Thursday, 15 April, 2021, 04:02:10 am IST, Dr Paul Dale wrote: Comments inline. Pauli On 15/4/21 12:09 am, Bala Duvvuri wrote: HI Paul, Thanks a lot for your response, thank you for pointing to /providers/implementations/rands/test_rng.c and the code to run NIST test. Still finding it a bit difficult to wrap around these new APIs In the old implementation using OpenSSL 1.1.1, to generate random numbers: a> we have set the callback for custom entropy (using RAND_DRBG_set_callbacks) for the RAND_DRBG_get0_master() DRBG instance (DRBG defaulted to CTR mode) b> Also we have set the personalization string using RAND_DRBG_instantiate and the reseed interval to 1 using RAND_DRBG_set_reseed_interval for both master and public/private DRBG c> RAND_bytes is used to avail random numbers. ""In summary, we want to use the CTR_DRBG implementation and provide our custom entropy/nonce from hardware"" I am not sure if my understanding is clear, can you please let me know this basic question how to go about this in OpenSSL 3.0? 1>Will I be able to use the built in DRBG and set a new custom provider for the built in DRBG as parent? Yes, exactly.? This is what I've been saying. 2> OR, is this the approach I need to follow rand = EVP_RAND_fetch(NULL, "CTR-DRBG", NULL); Can you let me know how can I link this "rand" to new parent that I setup ? You can't link DRBG's to parents after creation.? This code will use the OpenSSL built in entropy source and you won't be able to change it. 3> >> The built in DRBG's don't need the nonce, they will act as per SP800-90Ar1 section 9.1 with a nonce available from their parent. /providers/implementations/rands/seed_src.c is the OpenSSL seed source and it doesn't supply nonces. So does the built in DRBG need a nonce as above statements are contradictory? It can accept a nonce.? However, if one isn't provided it uses a random once grabbed from it's parent via the generate call.? The latter path is easier. 4> Also, where is the drbg_data defined/looked up in this case for the test data vectors 0 acvp_test.c 1341 const struct drbg_st *tst = &drbg_data[id]; 1 acvp_test.c 1468 ADD_ALL_TESTS(drbg_test, OSSL_NELEM(drbg_data)); Try: grep drbg_data test/* Thanks Bala On Wednesday, 14 April, 2021, 05:02:22 pm IST, Dr Paul Dale wrote: For setting up a parent for a DRBG, look at /providers/implementations/rands/test_rng.c which produces seed material (test_rng_generate) and nonces (test_rng_nonce).? The built in DRBG's don't need the nonce, they will act as per SP800-90Ar1 section 9.1 with a nonce available from their parent.? /providers/implementations/rands/seed_src.c is the OpenSSL seed source and it doesn't supply nonces. For the CAVS tests, look at test/acvp_test.c or test/evp_test.c which both include code to run NISTs tests. Pauli On 14/4/21 8:47 pm, Bala Duvvuri wrote: 1> >>The best way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG. See, for example, test/testutil/fakerandom.c for how to do this. The key is to set up the seed source before the RNG subsystem is first used. In our case we provide the entropy and nonce from hardware sources (as its on embedded platform) as requested by DRBG in older version. Now, if we setup a custom provider and use it as parent of the primary DRBG, its not clear how the entropy and nonce from this provider will be accessed, which API is invoked for the entropy/nonce consumption (any specific callbacks set)? Can you please explain the steps or example of the usage? 2> Also, we need set DRBG for CAVS test (Input: EntropyInput, Nonce, PersonalizationString, AdditionalInput, EntropyInputPR, AdditionalInput, EntropyInputPR), with OpenSSL 1.1.1, the below steps were done: RAND_DRBG_new(NID_aes_256_ctr, RAND_DRBG_FLAGS, NULL); RAND_DRBG_set_callbacks // This will setup to return the provided entropy and nonce inputs RAND_DRBG_instantiate // Pass personalization string. RAND_DRBG_generate Can you kindly let me know the equivalent steps with OpenSSL 3.0? Thank you for your help in this. Thanks Bala On Wednesday, 24 March, 2021, 11:56:18 am IST, Dr Paul Dale wrote: RAND_add() forces a reseed to the DRBGs and uses the passed material (not as entropy but as additional input). EVP_RAND_reseed() is a more direct interface but remember that the built in DRBGs are free to ignore what the user claims is entropy.? History has shown us time and again that entropy is often anything but. The best way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG.? See, for example, test/testutil/fakerandom.c for how to do this.? The key is to set up the seed source before the RNG subsystem is first used. If you simply want to replace the built-in DRBGs with a real random source, create a provider and set the appropriate environment/config variables. Pauli On 24/3/21 4:14 pm, Bala Duvvuri via openssl-users wrote: Hi All,In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for entropy and nonce generation.How can this be achieved with EVP_RAND implementation i.e. does it allow entropy to be provided? ThanksBala -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen.farrell at cs.tcd.ie Fri Apr 16 11:47:44 2021 From: stephen.farrell at cs.tcd.ie (Stephen Farrell) Date: Fri, 16 Apr 2021 12:47:44 +0100 Subject: Fwd: Question about RSA key access mechanism In-Reply-To: References: Message-ID: Hi all, Just to see if I can help prompt a response... :-) Dan?? is working with me to try see how hard it is to reproduce meltdown and snarf a private key. Problem-N of many in doing that is knowing where private key bits are used in OpenSSL - so far gdb seems to be showing no accesses to p,q etc. when signing as part of new TLS session establishment, which is a puzzle. Any/all hints gratefully received... Thanks, S. On 12/04/2021 09:57, Danis Ozdemir wrote: > Hi all, > > I hope all is good. My name is Danis Ozdemir, I'm a PhD student in Trinity > College (Ireland) and I'm studying computer security. I'm trying to > reproduce the meltdown attack as an effort to dive deep into the known > attack types with some specific scenarios and "trying to see whether > Meltdown could have been used against a web server making use of openssl > libraries, running on an old, non-patched Linux kernel" is one of them. *Please > notice that the intentions are purely academic here, rather than performing > a real attack.* > > Before investigating a more realistic scenario, I started with an 'open > box' approach in which the openssl server process reveals the addresses of > the sub fields of its private key (The private key and the certificate used > below were created using the command 'openssl req -x509 -nodes -days 1000 > -newkey rsa:2048 -keyout priv.pem -out cert.pem', so they are RSA based. > And I just used good, old printf in the function "ssl_set_pkey" in the file > "ssl/ssl_rsa.c"): > > # *LD_LIBRARY_PATH=${PWD} ./apps/openssl s_server -accept 54321 -cert > my_keys/cert.pem -key my_keys/priv.pem -www* > Could not read params of DH parameters from my_keys/cert.pem > Using default temp DH parameters > > > > > > > > > *DANIS - ssl_set_pkey - c->pkeys[0].privatekey : 0x55e4f9f01670 - > 144Danis - ssl_set_pkey - pkey->keydata->n : 0x55e4f9f13d50Danis - > ssl_set_pkey - pkey->keydata->e : 0x55e4f9f131e0Danis - ssl_set_pkey > - pkey->keydata->d : 0x55e4f9f05790Danis - ssl_set_pkey - > pkey->keydata->p : 0x55e4f9f05670Danis - ssl_set_pkey - > pkey->keydata->q : 0x55e4f9f058b0Danis - ssl_set_pkey - > pkey->keydata->dmp1 : 0x55e4f9f18850Danis - ssl_set_pkey - > pkey->keydata->dmq1 : 0x55e4f9f13800Danis - ssl_set_pkey - > pkey->keydata->iqmp : 0x55e4f9f13820* > ACCEPT > > Once the server is up and running, I get the real address of the sub field > p using gdb: > > # *ps -ef | grep -v grep | grep openssl* > adminq *1421* 1280 0 16:55 pts/1 00:00:00 ./apps/openssl s_server > -accept 54321 -cert my_keys/cert.pem -key my_keys/priv.pem -www > # *gdb* > GNU gdb (Debian 8.2.1-2+b3) 8.2.1 > Copyright (C) 2018 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > Type "show copying" and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu". > Type "show configuration" for configuration details. > For bug reporting instructions, please see: > . > Find the GDB manual and other documentation resources online at: > . > > For help, type "help". > Type "apropos word" to search for commands related to "word". > (gdb) *attach 1421* > Attaching to process 1421 > Reading symbols from /home/adminq/Workspace/openssl/apps/openssl...(no > debugging symbols found)...done. > Reading symbols from /home/adminq/Workspace/openssl/libssl.so.3...(no > debugging symbols found)...done. > Reading symbols from /home/adminq/Workspace/openssl/libcrypto.so.3...(no > debugging symbols found)...done. > Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols > from > /usr/lib/debug/.build-id/d3/583c742dd47aaa860c5ae0c0c5bdbcd2d54f61.debug...done. > done. > Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...Reading > symbols from > /usr/lib/debug/.build-id/e9/1114987a0147bd050addbd591eb8994b29f4b3.debug...done. > done. > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from > /usr/lib/debug/.build-id/18/b9a9a8c523e5cfe5b5d946d605d09242f09798.debug...done. > done. > Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from > /usr/lib/debug/.build-id/f2/5dfd7b95be4ba386fd71080accae8c0732b711.debug...done. > done. > 0x00007efd06acd631 in __libc_accept (fd=4, addr=..., len=0x7ffca292907c) at > ../sysdeps/unix/sysv/linux/accept.c:26 > 26 ../sysdeps/unix/sysv/linux/accept.c: No such file or directory. > (gdb) *x/6x 0x55e4f9f05670* > 0x55e4f9f05670: *0xf9f06b70 0x000055e4* *0x00000010* 0x00000010 > 0x55e4f9f05680: 0x00000000 0x0000000d > (gdb) *watch * (unsigned long *) 0x55e4f9f06b70* > Hardware watchpoint 1: * (unsigned long *) 0x55e4f9f06b70 > (gdb) c > Continuing. > > So, this output tells me that the content of p starts from the address > *0x55e4f9f06b70* and it's length is 16*sizeof(unsigned long) bytes as p is > of type bignum_st which has the following layout: > > *struct bignum_st {* > * BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit* > * * chunks. */* > * int top; /* Index of last used d +1. */* > * /* The next are internal book keeping for bn_expand. */* > * int dmax; /* Size of the d array. */* > * int neg; /* one if the number is negative */* > * int flags;* > *};* > > When I define a watchpoint for that address to verify that it has been > accessed when a new client connects to the server and make the server > continue, I can't see a hit which means this address hasn't been accessed. *I'm > attaching the s_client output as a file, since it's longer compared to the > outputs above.* > > I then dumped the whole non-executable pages that were allocated for this > process using ptrace to see whether another copy of the key was present and > I couldn't find any copies. So, either I'm doing something wrong (which is > the case, most probably) or there's another area which contains another > representation of the key for security reasons (given the fact that the raw > key content is accessible in the RAM, this one seems less likely). > Therefore, assuming I'm doing something wrong, if you could tell me what it > is, I'd be grateful. > > Best regards, > Danis Ozdemir > -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x5AB2FAF17B172BEA.asc Type: application/pgp-keys Size: 10689 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From matt at openssl.org Fri Apr 16 12:11:54 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 16 Apr 2021 13:11:54 +0100 Subject: Fwd: Question about RSA key access mechanism In-Reply-To: References: Message-ID: On 12/04/2021 09:57, Danis Ozdemir wrote: > When I define a watchpoint for that address to verify that it has been > accessed when a new client connects to the server and make the server > continue, I can't see a hit which means this address hasn't been > accessed. *I'm attaching the s_client output as a file, since it's > longer compared to the outputs above.* You don't say which version of OpenSSL you are using (1.1.1 or 3.0?). That can make a big difference to the codepaths that you go through to get to actual RSA operations. I'm assuming you are interested in the RSA signature from a TLSv1.3 CertVerify message. If so I would expect you to end up in the rsa_ossl_mod_exp function in crypto/rsa/rsa_ossl.c. It's there that I would expect to see accesses to "p". I suggest you set a breakpoint in that function and see what is happening. Matt > * > * > I then dumped the whole non-executable pages that were allocated for > this process using ptrace to see whether another copy of the key was > present and I couldn't find any copies. So, either I'm doing something > wrong (which is the case, most probably) or there's another area which > contains another representation of the key for security reasons (given > the fact that the raw key content is accessible in the RAM, this one > seems less likely). Therefore, assuming I'm doing something wrong, if > you could tell me what it is, I'd be grateful. > > Best regards, > Danis Ozdemir > > ** From doctor at doctor.nl2k.ab.ca Fri Apr 16 13:25:50 2021 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Fri, 16 Apr 2021 07:25:50 -0600 Subject: Maiising Daily Snapshots for 20210416 Message-ID: Anyone knows what happened? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b A consequence-free mentality brings the most severe consequences. -unknown From matt at openssl.org Fri Apr 16 14:11:59 2021 From: matt at openssl.org (Matt Caswell) Date: Fri, 16 Apr 2021 15:11:59 +0100 Subject: Maiising Daily Snapshots for 20210416 In-Reply-To: References: Message-ID: <8497a1b2-af68-c342-e9b8-09830000b801@openssl.org> There was a power outage at the datacentre last night. Everything should hopefully be back to normal now, so hopefully the snapshots will arrive as normal tonight. Matt On 16/04/2021 14:25, The Doctor wrote: > Anyone knows what happened? > From Matthias.St.Pierre at ncp-e.com Fri Apr 16 14:53:41 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Fri, 16 Apr 2021 14:53:41 +0000 Subject: Maiising Daily Snapshots for 20210416 In-Reply-To: <8497a1b2-af68-c342-e9b8-09830000b801@openssl.org> References: <8497a1b2-af68-c342-e9b8-09830000b801@openssl.org> Message-ID: <8b5374bb3f214f958faf3f14fbad357d@ncp-e.com> It seems a bit outdated nowadays to publish daily snapshots imho. https://www.openssl.org/source/snapshot/ Instead of maintaining those snapshots, couldn't we just advertise the GitHub download links? Any branch or commit can be downloaded easily as ZIP or compressed TAR file, whatever you prefer. Matthias -- $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/master.tar.gz $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/OpenSSL_1_1_1-stable.tar.gz $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/master.zip $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/OpenSSL_1_1_1-stable.zip $ ls -l openssl-*.tar.gz openssl-*.zip -rw-r--r-- 1 msp msp 14548457 Apr 16 16:34 openssl-master.tar.gz -rw-r--r-- 1 msp msp 9996650 Apr 16 16:35 openssl-OpenSSL_1_1_1-stable.tar.gz $ ls -l openssl-*.tar.gz openssl-*.zip -rw-r--r-- 1 msp msp 17122833 Apr 16 16:41 openssl-master.zip -rw-r--r-- 1 msp msp 11844030 Apr 16 16:41 openssl-OpenSSL_1_1_1-stable.zip > -----Original Message----- > From: openssl-users On Behalf Of Matt Caswell > Sent: Friday, April 16, 2021 4:12 PM > To: openssl-users at openssl.org > Subject: Re: Maiising Daily Snapshots for 20210416 > > There was a power outage at the datacentre last night. Everything should > hopefully be back to normal now, so hopefully the snapshots will arrive > as normal tonight. > > Matt > > > On 16/04/2021 14:25, The Doctor wrote: > > Anyone knows what happened? > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From uri at ll.mit.edu Fri Apr 16 14:56:58 2021 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Fri, 16 Apr 2021 14:56:58 +0000 Subject: Maiising Daily Snapshots for 20210416 In-Reply-To: <8b5374bb3f214f958faf3f14fbad357d@ncp-e.com> References: <8497a1b2-af68-c342-e9b8-09830000b801@openssl.org> <8b5374bb3f214f958faf3f14fbad357d@ncp-e.com> Message-ID: <35577602-B6B0-40B9-9DA6-637E2B0C5AB2@ll.mit.edu> IMHO, GitHub should be sufficient. -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare ?On 4/16/21, 10:54, "openssl-users on behalf of Dr. Matthias St. Pierre" wrote: It seems a bit outdated nowadays to publish daily snapshots imho. https://www.openssl.org/source/snapshot/ Instead of maintaining those snapshots, couldn't we just advertise the GitHub download links? Any branch or commit can be downloaded easily as ZIP or compressed TAR file, whatever you prefer. Matthias -- $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/master.tar.gz $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/OpenSSL_1_1_1-stable.tar.gz $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/master.zip $ curl -JOL https://github.com/openssl/openssl/archive/refs/heads/OpenSSL_1_1_1-stable.zip $ ls -l openssl-*.tar.gz openssl-*.zip -rw-r--r-- 1 msp msp 14548457 Apr 16 16:34 openssl-master.tar.gz -rw-r--r-- 1 msp msp 9996650 Apr 16 16:35 openssl-OpenSSL_1_1_1-stable.tar.gz $ ls -l openssl-*.tar.gz openssl-*.zip -rw-r--r-- 1 msp msp 17122833 Apr 16 16:41 openssl-master.zip -rw-r--r-- 1 msp msp 11844030 Apr 16 16:41 openssl-OpenSSL_1_1_1-stable.zip > -----Original Message----- > From: openssl-users On Behalf Of Matt Caswell > Sent: Friday, April 16, 2021 4:12 PM > To: openssl-users at openssl.org > Subject: Re: Maiising Daily Snapshots for 20210416 > > There was a power outage at the datacentre last night. Everything should > hopefully be back to normal now, so hopefully the snapshots will arrive > as normal tonight. > > Matt > > > On 16/04/2021 14:25, The Doctor wrote: > > Anyone knows what happened? > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: From richard.simard at groupesti.com Fri Apr 16 16:27:23 2021 From: richard.simard at groupesti.com (Richard Simard) Date: Fri, 16 Apr 2021 16:27:23 +0000 Subject: Help request Message-ID: When I try to sign a certificate, I get this message and yet the certificate and the key match Someone can help me? Tank You! Richard Simard root at PKI:/# /usr/bin/openssl ca -selfsign -config /etc/root-ca.conf -in /ca/network-ca/csr/network-ca.csr -out /ca/network-ca/crt/network-ca.crt -extensions intermediate_ca_ext -startdate 20210101000000Z -enddate 20311231235959Z Using configuration from /etc/root-ca.conf Enter pass phrase for ./ca/root-ca/key/root-ca.key: ************ Check that the request matches the signature Certificate request and CA private key do not match root at PKI:/# root at PKI:/# /usr/bin/openssl x509 -in /ca/root-ca/crt/root-ca.crt -noout -modulus | openssl md5 (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root at PKI:/# /usr/bin/openssl rsa -in /ca/root-ca/key/root-ca.key -noout -modulus | openssl md5 Enter pass phrase for /ca/root-ca/key/root-ca.key: ************ (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root at PKI:/# /usr/bin/openssl req -in /ca/root-ca/csr/root-ca.csr -noout -modulus | openssl md5 (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root at PKI:/# root-ca.conf : [ default ] ca = root-ca dir = . base_url = http://pki.groupesti.com crl_url = http://crl.groupesti.com ocsp_url = http://ocsp.groupesti.com cps_url = http://cps.groupesti.com aia_url = $base_url/$ca.cer crl_url = $crl_url/$ca.crl name_opt = multiline, -esc_msb, utf8 openssl_conf = openssl_init [ root_ca ] certificate = $dir/ca/$ca/crt/$ca.crt private_key = $dir/ca/$ca/key/$ca.key new_certs_dir = $dir/ca/$ca/newcrt serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 3652 default_md = sha512 policy = match_pol email_in_dn = no preserve = no name_opt = $name_opt cert_opt = ca_default copy_extensions = none x509_extensions = intermediate_ca_ext default_crl_days = 30 crl_extensions = crl_ext [ intermediate_ca_ext ] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info certificatePolicies = @policy_intermediate_ca_ext MsCaV = DER:02:01:02 network-ca.conf: [ default ] ca = network-ca dir = . base_url = http://pki.groupesti.com crl_url = http://crl.groupesti.com ocsp_url = http://ocsp.groupesti.com cps_url = http://cps.groupesti.com aia_url = $base_url/$ca.cer crl_url = $crl_url/$ca.crl name_opt = multiline, -esc_msb, utf8 openssl_conf = openssl_init [ req ] default_bits = 8192 encrypt_key = yes default_md = sha512 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_reqext string_mask = MASK:0x2002 [ network_ca ] certificate = $dir/ca/$ca/crt/$ca.crt private_key = $dir/ca/$ca/key/$ca.key new_certs_dir = $dir/ca/$ca/newcrt serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 3652 default_md = sha512 policy = match_pol email_in_dn = no preserve = no name_opt = $name_opt cert_opt = ca_default copy_extensions = none x509_extensions = signing_ca_ext default_crl_days = 1 crl_extensions = crl_ext From richard.simard at groupesti.com Fri Apr 16 16:31:05 2021 From: richard.simard at groupesti.com (Richard Simard) Date: Fri, 16 Apr 2021 16:31:05 +0000 Subject: Help request In-Reply-To: References: Message-ID: I juste add this: (stdin)= a9ea3acfbc9406a774245ac029d8d9f2 root at PKI:/# /usr/bin/openssl req -in /ca/network-ca/csr/network-ca.csr -noout -modulus | openssl md5 (stdin)= a9ea3acfbc9406a774245ac029d8d9f2 -----Message d'origine----- De?: openssl-users De la part de Richard Simard Envoy??: 16 avril 2021 12:27 ??: openssl-users at openssl.org Objet?: Help request When I try to sign a certificate, I get this message and yet the certificate and the key match Someone can help me? Tank You! Richard Simard root at PKI:/# /usr/bin/openssl ca -selfsign -config /etc/root-ca.conf -in /ca/network-ca/csr/network-ca.csr -out /ca/network-ca/crt/network-ca.crt -extensions intermediate_ca_ext -startdate 20210101000000Z -enddate 20311231235959Z Using configuration from /etc/root-ca.conf Enter pass phrase for ./ca/root-ca/key/root-ca.key: ************ Check that the request matches the signature Certificate request and CA private key do not match root at PKI:/# root at PKI:/# /usr/bin/openssl x509 -in /ca/root-ca/crt/root-ca.crt -noout -modulus | openssl md5 (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root at PKI:/# /usr/bin/openssl rsa -in /ca/root-ca/key/root-ca.key -noout -modulus | openssl md5 Enter pass phrase for /ca/root-ca/key/root-ca.key: ************ (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root at PKI:/# /usr/bin/openssl req -in /ca/root-ca/csr/root-ca.csr -noout -modulus | openssl md5 (stdin)= 53db1fd33d0df01c23fc588bab1697e3 root at PKI:/# root-ca.conf : [ default ] ca = root-ca dir = . base_url = http://pki.groupesti.com crl_url = http://crl.groupesti.com ocsp_url = http://ocsp.groupesti.com cps_url = http://cps.groupesti.com aia_url = $base_url/$ca.cer crl_url = $crl_url/$ca.crl name_opt = multiline, -esc_msb, utf8 openssl_conf = openssl_init [ root_ca ] certificate = $dir/ca/$ca/crt/$ca.crt private_key = $dir/ca/$ca/key/$ca.key new_certs_dir = $dir/ca/$ca/newcrt serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 3652 default_md = sha512 policy = match_pol email_in_dn = no preserve = no name_opt = $name_opt cert_opt = ca_default copy_extensions = none x509_extensions = intermediate_ca_ext default_crl_days = 30 crl_extensions = crl_ext [ intermediate_ca_ext ] keyUsage = critical, keyCertSign, cRLSign basicConstraints = critical, CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info certificatePolicies = @policy_intermediate_ca_ext MsCaV = DER:02:01:02 network-ca.conf: [ default ] ca = network-ca dir = . base_url = http://pki.groupesti.com crl_url = http://crl.groupesti.com ocsp_url = http://ocsp.groupesti.com cps_url = http://cps.groupesti.com aia_url = $base_url/$ca.cer crl_url = $crl_url/$ca.crl name_opt = multiline, -esc_msb, utf8 openssl_conf = openssl_init [ req ] default_bits = 8192 encrypt_key = yes default_md = sha512 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_reqext string_mask = MASK:0x2002 [ network_ca ] certificate = $dir/ca/$ca/crt/$ca.crt private_key = $dir/ca/$ca/key/$ca.key new_certs_dir = $dir/ca/$ca/newcrt serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 3652 default_md = sha512 policy = match_pol email_in_dn = no preserve = no name_opt = $name_opt cert_opt = ca_default copy_extensions = none x509_extensions = signing_ca_ext default_crl_days = 1 crl_extensions = crl_ext From openssl-users at dukhovni.org Fri Apr 16 16:36:50 2021 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 16 Apr 2021 12:36:50 -0400 Subject: Help request In-Reply-To: References: Message-ID: On Fri, Apr 16, 2021 at 04:27:23PM +0000, Richard Simard wrote: > root at PKI:/# /usr/bin/openssl ca > -selfsign ^^^^^^^^^ > -config /etc/root-ca.conf > -in /ca/network-ca/csr/network-ca.csr > -out /ca/network-ca/crt/network-ca.crt > -extensions intermediate_ca_ext > -startdate 20210101000000Z > -enddate 20311231235959Z Using I doubt you actually mean to use the "-selfsign" option: ca(1): -selfsign Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with -keyfile). Certificate requests signed with a different key are ignored. If -spkac, -ss_cert or -gencrl are given, -selfsign is ignored. A consequence of using -selfsign is that the self-signed certificate appears among the entries in the certificate database (see the configuration option database), and uses the same serial number counter as all other certificates sign with the self-signed certificate. If you actually intended to use it, then you're probably confused about what it means, and should change your mind. -- Viktor. From ozdemird at tcd.ie Sat Apr 17 22:05:56 2021 From: ozdemird at tcd.ie (Danis Ozdemir) Date: Sat, 17 Apr 2021 23:05:56 +0100 Subject: Fwd: Question about RSA key access mechanism In-Reply-To: References: Message-ID: Hi there, Thank you very much for your email. As I was suspecting, I was making a mistake, after following the lead you provided (the function rsa_ossl_mod_exp in the file crypto/rsa/rsa_ossl.c) I started observing hits. I was basically making a mistake with the addresses to watch. Best regards, Danis -------------- next part -------------- An HTML attachment was scrubbed... URL: From preethi.kavi17 at gmail.com Mon Apr 19 07:44:47 2021 From: preethi.kavi17 at gmail.com (preethi teekaraman) Date: Mon, 19 Apr 2021 13:14:47 +0530 Subject: facing issue in sha512 self - signed certificate Message-ID: Hi Openssl, I'm creating sha512 self signed certificate for establishing connection between client and server(nginx server). creating separate key, cert for server and root cert for client. below is the link i followed for cert creation: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 Issue faced : There's no connection established and we cross-checked error log in server no error observed. Openssl version : OpenSSL 1.0.1f 6 Jan 2014 nginx version: nginx/1.4.6 (Ubuntu) OS version No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.5 LTS Release: 14.04 Codename: trusty is there any link or commands to follow while creating cert for sha512. ? Regards, Preethi Teekaraman. -------------- next part -------------- An HTML attachment was scrubbed... URL: From amartin at xtec.com Mon Apr 19 13:59:25 2021 From: amartin at xtec.com (amartin at xtec.com) Date: Mon, 19 Apr 2021 09:59:25 -0400 Subject: req command with -multivalue-rdn set Message-ID: <003e01d73524$36578880$a3069980$@xtec.com> I'm trying to create a certificate request with a multivalue RDN which involves CN+UID. I achieved the encoded multi-value RDN, but I want the UID being encoded first and then the CN. I always get the CN first, no matter what I put in the -subj "/CN=value+UID=value" or "/UID=value+CN=value". Changing the cnf [policy matching] entries switching the order of the CN=provided and UID=provided doesn't have any impact either. However, if I use CN+serialNumber, I can change the encoding order successfully by changing the -subj between "/CN=value+serialNumber=value" or "/SerialNumber=value+CN=value". This is the output of mycsr.csr ANS.1 decoder for the multivalue RDN in the case of the UID: SET (2 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component) UTF8String John Doe SEQUENCE (2 elem) OBJECT IDENTIFIER 0.9.2342.19200300.100.1.1 userID (Some oddball X.500 attribute collection) UTF8String 12345567890 I want to obtain the same behavior I get for the serial number: SET (2 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.5 serialNumber (X.520 DN component) PrintableString 1234567890 SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component) UTF8String John Doe Any thoughts, Thanks in Advance, Alberto Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sunil.Paramashivaiah at rbbn.com Tue Apr 20 05:30:56 2021 From: Sunil.Paramashivaiah at rbbn.com (Paramashivaiah, Sunil) Date: Tue, 20 Apr 2021 05:30:56 +0000 Subject: PKCS#1 RSAPublicKey in Openssl 3.0 Message-ID: Hi All, PEM_read_bio_RSAPublicKey is deprecated in Openssl 3.0. I am unable to find an alternate API to get EVP_PKEY from Pem format PKCS#1 Public key. Is PKCS#1 Public key not supported in Openssl 3.0 Please suggest me how to get EVP_PKEY from Pem format PKCS#1 Public key in Openssl 3.0 Thanks and Regards, Sunil Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Tue Apr 20 07:26:44 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 20 Apr 2021 08:26:44 +0100 Subject: PKCS#1 RSAPublicKey in Openssl 3.0 In-Reply-To: References: Message-ID: On 20/04/2021 06:30, Paramashivaiah, Sunil wrote: > Hi All, > > ? ? ?PEM_read_bio_RSAPublicKey is deprecated in?Openssl 3.0. I am > unable to find > ? ? ?an alternate API to get EVP_PKEY from Pem format?PKCS#1 Public key. > ? ? ?Is PKCS#1 Public key not supported in Openssl 3.0 > ? ? ?Please suggest me how to get EVP_PKEY from Pem format?PKCS#1 > Public key in Openssl 3.0 > The functions PEM_read_bio_PUBKEY() or PEM_read_bio_PUBKEY_ex() can read an RSA PKCS#1 public key in PEM format and returns it as an EVP_PKEY (RSA_read_bio_PUBKEY is also available in older versions of OpenSSL). Alternatively you can use the newer and more flexible OSSL_DECODER_CTX_new_for_pkey() and OSSL_DECODER_from_bio(). Matt From Sanjeev.Kumar-Mishra at rbbn.com Tue Apr 20 10:45:26 2021 From: Sanjeev.Kumar-Mishra at rbbn.com (Kumar Mishra, Sanjeev) Date: Tue, 20 Apr 2021 10:45:26 +0000 Subject: How to access different fields of typedef struct evp_pkey_st EVP_PKEY. Message-ID: Hi, I am not getting different functions in OpenSSL 3.0 for accessing different fields of typedef struct evp_pkey_st EVP_PKEY. For Example - code is like this - EVP_PKEY * privKey; ----- ----- if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.rsa->n) != 0 ) ---- ---- else if ((privKey->type == EVP_PKEY_EC) && (pubKey->type == EVP_PKEY_EC)) ----- ------ All of those codes give forward declaration error. what are corresponding APIs in OpenSSL 3.0 Thanks With Best Regards, Sanjeev Kumar Mishra Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Tue Apr 20 10:58:50 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 20 Apr 2021 11:58:50 +0100 Subject: How to access different fields of typedef struct evp_pkey_st EVP_PKEY. In-Reply-To: References: Message-ID: On 20/04/2021 11:45, Kumar Mishra, Sanjeev wrote: > Hi, > I am not getting different functions in OpenSSL 3.0 for accessing > different fields of?typedef struct evp_pkey_st EVP_PKEY. For Example - > code is like this - > EVP_PKEY * privKey; > ----- > ----- > if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.rsa->n) != 0 ) BIGNUM *privn = NULL, *pubn = NULL; /* Error handling omitted for brevity...*/ EVP_PKEY_get_bn_param(privKey, "n", &privn); EVP_PKEY_get_bn_param(pubKey, "n", &pubKey); if ( BN_cmp(privn, pubn) != 0) ... BN_free(privn); BN_free(pubn); > ---- > ---- > else if ((privKey->type == EVP_PKEY_EC) && (pubKey->type == EVP_PKEY_EC)) else if (EVP_PKEY_is_a(privKey, "EC") && (EVP_PKEY_is_a(pubKey, "EC")) Matt From tomas at openssl.org Tue Apr 20 11:06:37 2021 From: tomas at openssl.org (Tomas Mraz) Date: Tue, 20 Apr 2021 13:06:37 +0200 Subject: How to access different fields of typedef struct evp_pkey_st EVP_PKEY. In-Reply-To: References: Message-ID: <8e7f2caf50306f13b6e74aeeddf675fdfea38b92.camel@openssl.org> On Tue, 2021-04-20 at 10:45 +0000, Kumar Mishra, Sanjeev wrote: > Hi, > I am not getting different functions in OpenSSL 3.0 for accessing > different fields of typedef struct evp_pkey_st EVP_PKEY. For Example > - code is like this - > EVP_PKEY * privKey; > ----- > ----- > if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.rsa->n) != 0 ) If you just want to compare private and public key whether the public key component match, you can use: if (EVP_PKEY_eq(pubKey, privKey) != 1) { /* keys do not match */ } > ---- > ---- > else if ((privKey->type == EVP_PKEY_EC) && (pubKey->type == > EVP_PKEY_EC)) You can use EVP_PKEY_base_id(key) to get the type however it would be even better to use EVP_PKEY_is_a(privKey, "EC") && EVP_PKEY_is_a(pubKey, "EC") -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From bhadrim at ca.ibm.com Wed Apr 21 22:07:53 2021 From: bhadrim at ca.ibm.com (Bhadri Madapusi) Date: Wed, 21 Apr 2021 18:07:53 -0400 Subject: Documentation on openssl 1.0.2 / FIPS module version support for PPC LE Message-ID: Hi, Is there any documentation on which version of openssl are supported on PPC LE. I am trying to figure out which version of 1.0.2 source and FIPS module to use to compile my nginx with openssl and FIPS. Thank you. regards, Bhadri -------------- next part -------------- An HTML attachment was scrubbed... URL: From kgoldman at us.ibm.com Wed Apr 21 22:27:54 2021 From: kgoldman at us.ibm.com (Kenneth Goldman) Date: Wed, 21 Apr 2021 18:27:54 -0400 Subject: Documentation on openssl 1.0.2 / FIPS module version support for PPC LE In-Reply-To: References: Message-ID: > From: "Bhadri Madapusi" > > Is there any documentation on which version of openssl are supported > on PPC LE. I am trying to figure out which version of 1.0.2 source > and FIPS module to use to compile my nginx with openssl and FIPS. Thank you. Not documentation, but my power machines run OpenSSL 1.1.1 11 Sep 2018 OpenSSL 1.1.0f-fips 25 May 2017 OpenSSL 1.1.0i-fips 14 Aug 2018 OpenSSL 1.1.1i FIPS 8 Dec 2020 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sa0550000000 at gmail.com Thu Apr 22 05:01:14 2021 From: sa0550000000 at gmail.com (=?UTF-8?B?zrrDrs63xJ8gcsOyw7PPhOKAucK54oC5?=) Date: Thu, 22 Apr 2021 08:01:14 +0300 Subject: openssl-users Digest, Vol 77, Issue 36 In-Reply-To: References: Message-ID: ? 2021-04-22 1:08 ??????+03:00, openssl-users-request at openssl.org : > Send openssl-users mailing list submissions to > openssl-users at openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > or, via email, send a message with subject or body 'help' to > openssl-users-request at openssl.org > > You can reach the person managing the list at > openssl-users-owner at openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > 1. Re: PKCS#1 RSAPublicKey in Openssl 3.0 (Matt Caswell) > 2. How to access different fields of typedef struct evp_pkey_st > EVP_PKEY. (Kumar Mishra, Sanjeev) > 3. Re: How to access different fields of typedef struct > evp_pkey_st EVP_PKEY. (Matt Caswell) > 4. Re: How to access different fields of typedef struct > evp_pkey_st EVP_PKEY. (Tomas Mraz) > 5. Documentation on openssl 1.0.2 / FIPS module version support > for PPC LE (Bhadri Madapusi) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 20 Apr 2021 08:26:44 +0100 > From: Matt Caswell > To: openssl-users at openssl.org > Subject: Re: PKCS#1 RSAPublicKey in Openssl 3.0 > Message-ID: > Content-Type: text/plain; charset=windows-1252; format=flowed > > > > On 20/04/2021 06:30, Paramashivaiah, Sunil wrote: >> Hi All, >> >> ? ? ?PEM_read_bio_RSAPublicKey is deprecated in?Openssl 3.0. I am >> unable to find >> ? ? ?an alternate API to get EVP_PKEY from Pem format?PKCS#1 Public key. >> ? ? ?Is PKCS#1 Public key not supported in Openssl 3.0 >> ? ? ?Please suggest me how to get EVP_PKEY from Pem format?PKCS#1 >> Public key in Openssl 3.0 >> > > The functions PEM_read_bio_PUBKEY() or PEM_read_bio_PUBKEY_ex() can read > an RSA PKCS#1 public key in PEM format and returns it as an EVP_PKEY > (RSA_read_bio_PUBKEY is also available in older versions of OpenSSL). > > Alternatively you can use the newer and more flexible > OSSL_DECODER_CTX_new_for_pkey() and OSSL_DECODER_from_bio(). > > Matt > > > ------------------------------ > > Message: 2 > Date: Tue, 20 Apr 2021 10:45:26 +0000 > From: "Kumar Mishra, Sanjeev" > To: "openssl-users at openssl.org" > Cc: "Paramashivaiah, Sunil" , > "Bhattacharjee, Debapriyo \(c\)" , Shivakumar > Poojari > Subject: How to access different fields of typedef struct evp_pkey_st > EVP_PKEY. > Message-ID: > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > I am not getting different functions in OpenSSL 3.0 for accessing different > fields of typedef struct evp_pkey_st EVP_PKEY. For Example - code is like > this - > EVP_PKEY * privKey; > ----- > ----- > if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.rsa->n) != 0 ) > ---- > ---- > else if ((privKey->type == EVP_PKEY_EC) && (pubKey->type == EVP_PKEY_EC)) > ----- > ------ > > > All of those codes give forward declaration error. > what are corresponding APIs in OpenSSL 3.0 > > Thanks With Best Regards, > Sanjeev Kumar Mishra > > Notice: This e-mail together with any attachments may contain information of > Ribbon Communications Inc. and its Affiliates that is confidential and/or > proprietary for the sole use of the intended recipient. Any review, > disclosure, reliance or distribution by others or forwarding without express > permission is strictly prohibited. If you are not the intended recipient, > please notify the sender immediately and then delete all copies, including > any attachments. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > Message: 3 > Date: Tue, 20 Apr 2021 11:58:50 +0100 > From: Matt Caswell > To: openssl-users at openssl.org > Subject: Re: How to access different fields of typedef struct > evp_pkey_st EVP_PKEY. > Message-ID: > Content-Type: text/plain; charset=windows-1252; format=flowed > > > > On 20/04/2021 11:45, Kumar Mishra, Sanjeev wrote: >> Hi, >> I am not getting different functions in OpenSSL 3.0 for accessing >> different fields of?typedef struct evp_pkey_st EVP_PKEY. For Example - >> code is like this - >> EVP_PKEY * privKey; >> ----- >> ----- >> if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.rsa->n) != 0 ) > > BIGNUM *privn = NULL, *pubn = NULL; > > /* Error handling omitted for brevity...*/ > EVP_PKEY_get_bn_param(privKey, "n", &privn); > EVP_PKEY_get_bn_param(pubKey, "n", &pubKey); > if ( BN_cmp(privn, pubn) != 0) > > ... > BN_free(privn); > BN_free(pubn); > >> ---- >> ---- >> else if ((privKey->type == EVP_PKEY_EC) && (pubKey->type == EVP_PKEY_EC)) > > > else if (EVP_PKEY_is_a(privKey, "EC") && (EVP_PKEY_is_a(pubKey, "EC")) > > > > Matt > > > ------------------------------ > > Message: 4 > Date: Tue, 20 Apr 2021 13:06:37 +0200 > From: Tomas Mraz > To: "Kumar Mishra, Sanjeev" , > "openssl-users at openssl.org" > Cc: "Paramashivaiah, Sunil" , > "Bhattacharjee, Debapriyo \(c\)" , Shivakumar > Poojari > Subject: Re: How to access different fields of typedef struct > evp_pkey_st EVP_PKEY. > Message-ID: > <8e7f2caf50306f13b6e74aeeddf675fdfea38b92.camel at openssl.org> > Content-Type: text/plain; charset="UTF-8" > > On Tue, 2021-04-20 at 10:45 +0000, Kumar Mishra, Sanjeev wrote: >> Hi, >> I am not getting different functions in OpenSSL 3.0 for accessing >> different fields of typedef struct evp_pkey_st EVP_PKEY. For Example >> - code is like this - >> EVP_PKEY * privKey; >> ----- >> ----- >> if ( BN_cmp(privKey->pkey.rsa->n, pubKey->pkey.rsa->n) != 0 ) > > If you just want to compare private and public key whether the public > key component match, you can use: > > if (EVP_PKEY_eq(pubKey, privKey) != 1) { > /* keys do not match */ > } > >> ---- >> ---- >> else if ((privKey->type == EVP_PKEY_EC) && (pubKey->type == >> EVP_PKEY_EC)) > > You can use EVP_PKEY_base_id(key) to get the type however it would be > even better to use > EVP_PKEY_is_a(privKey, "EC") && EVP_PKEY_is_a(pubKey, "EC") > > > -- > Tom?? Mr?z > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > [You'll know whether the road is wrong if you carefully listen to your > conscience.] > > > > > ------------------------------ > > Message: 5 > Date: Wed, 21 Apr 2021 18:07:53 -0400 > From: "Bhadri Madapusi" > To: openssl-users at openssl.org > Subject: Documentation on openssl 1.0.2 / FIPS module version support > for PPC LE > Message-ID: > > > Content-Type: text/plain; charset="us-ascii" > > > Hi, > > Is there any documentation on which version of openssl are supported on > PPC LE. I am trying to figure out which version of 1.0.2 source and FIPS > module to use to compile my nginx with openssl and FIPS. Thank you. > > regards, > > Bhadri > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-users > > > ------------------------------ > > End of openssl-users Digest, Vol 77, Issue 36 > ********************************************* > From vadivel86 at gmail.com Thu Apr 22 12:52:44 2021 From: vadivel86 at gmail.com (Vadivel P) Date: Thu, 22 Apr 2021 18:22:44 +0530 Subject: facing issue in sha512 self - signed certificate In-Reply-To: References: Message-ID: Hi All, Looking for the same support of SHA512. Do we have sha512 support in any open source ? Please let me know. Regards, Vadivel On Mon, Apr 19, 2021, 13:15 preethi teekaraman wrote: > Hi Openssl, > > I'm creating sha512 self signed certificate for establishing connection > between client and server(nginx server). > creating separate key, cert for server and root cert for client. > below is the link i followed for cert creation: > https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 > > Issue faced : > There's no connection established and we cross-checked error log in server > no error observed. > > Openssl version : OpenSSL 1.0.1f 6 Jan 2014 > > nginx version: nginx/1.4.6 (Ubuntu) > > OS version > > No LSB modules are available. > > Distributor ID: Ubuntu > > Description: Ubuntu 14.04.5 LTS > > Release: 14.04 > > Codename: trusty > > > is there any link or commands to follow while creating cert for sha512. ? > > > Regards, > > Preethi Teekaraman. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Apr 22 14:03:29 2021 From: openssl at openssl.org (OpenSSL) Date: Thu, 22 Apr 2021 14:03:29 +0000 Subject: OpenSSL version 3.0.0-alpha15 published Message-ID: <20210422140329.GA25386@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 15 released ===================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 15 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha15.tar.gz Size: 14423249 SHA1 checksum: 57be66515f808b77d5b163a55474801f8bd764f4 SHA256 checksum: 7ebc12910a19d94c13ce589024c5ab655a81152823fe37a3b5753436f3706831 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha15.tar.gz openssl sha256 openssl-3.0.0-alpha15.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCBfbIACgkQ2cTSbQ5g RJEHcAf+MXdyMT9BzBSoEjQdcXfwWDjl7r8R6dXinaI9BIvN80qf1HHGEy5thMc7 lu5IPLF4iz61B1s8h37WtqksZpC+Ydjbw++LyUDVUfJBWYE0XRGuK+FljN+vESmX +yqnv/Ll3lSce6HCFlWQDMp16Os8sCWl4DqaUOqsCo1Pi0ArLigNIwf1lmp0/FC8 d7vCp9jSTq9fvG33L0tbIZ6X6YdD9tiWh+Ae8IDMDli4BVTixgrf6Mqa8vrC6JZu PWhlTuq/KZq4TjLdVPWsVC55MBItesGgYIDCOcefwSWaWfVk1WZF/ojbMBkpBWc1 BprBrZjgnoqQrtsqVVTD7dgfY5atRA== =0woP -----END PGP SIGNATURE----- From markhack at markhack.com Thu Apr 22 14:35:26 2021 From: markhack at markhack.com (Mark Hack) Date: Thu, 22 Apr 2021 09:35:26 -0500 Subject: facing issue in sha512 self - signed certificate In-Reply-To: References: Message-ID: You will need to be a lot more specific - this works fine openssl s_client -connect localhost:443 | openssl x509 -noout -text Can't use SSL_get_servername depth=0 C = US, ST = TX, L = Somewhere, O = MarkHack, OU = Test, CN = fakeserver.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = TX, L = Somewhere, O = MarkHack, OU = Test, CN = fakeserver.com verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 5d:72:e6:0c:24:3f:97:7f:66:09:f6:a5:f7:f8:96:95:ed:cb:26:59 Signature Algorithm: sha512WithRSAEncryption Issuer: C = US, ST = TX, L = Somewhere, O = MarkHack, OU = Test, CN = fakeserver.com Validity Not Before: Apr 22 14:22:50 2021 GMT Not After : Apr 22 14:22:50 2022 GMT Subject: C = US, ST = TX, L = Somewhere, O = MarkHack, OU = Test, CN = fakeserver.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b8:c0:72:0e:81:ec:49:fd:6d:06:c2:15:1c:a7: .... cf:5c:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 7A:E4:80:D6:86:BF:03:BE:3C:16:C6:99:B7:66:BE:CE:52:F7:96:F2 X509v3 Authority Key Identifier: keyid:7A:E4:80:D6:86:BF:03:BE:3C:16:C6:99:B7:66:BE:CE:52:F7:96:F2 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha512WithRSAEncryption 27:1e:c7:f4:7a:7e:43:39:1f:3d:8b:08:94:67:bf:9d:e9:38: .... a5:fb:21:9c:d7:f5:28:67 On Thu, 2021-04-22 at 18:22 +0530, Vadivel P wrote: > Hi All, > > Looking for the same support of SHA512. Do we have sha512 support in > any open source ? Please let me know. > > Regards, > Vadivel > > On Mon, Apr 19, 2021, 13:15 preethi teekaraman < > preethi.kavi17 at gmail.com> wrote: > > Hi Openssl, > > > > I'm creating sha512 self signed certificate for establishing > > connection between client and server(nginx server). > > creating separate key, cert for server and root cert for client. > > below is the link i followed for cert creation: > > https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 > > > > Issue faced : > > There's no connection established and we cross-checked error log in > > server no error observed. > > > > Openssl version : OpenSSL 1.0.1f 6 Jan 2014 > > > > > > nginx version: nginx/1.4.6 (Ubuntu) > > > > > > OS version > > > > > > No LSB modules are available. > > > > > > Distributor ID: Ubuntu > > > > > > Description: > > Ubuntu 14.04.5 LTS > > > > > > Release: > > 14.04 > > > > > > Codename: trusty > > > > is there any link or commands to follow while creating cert for > > sha512. ? > > > > Regards, > > Preethi Teekaraman. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wmk589 at yahoo.com Mon Apr 26 18:29:01 2021 From: wmk589 at yahoo.com (Robert Smith) Date: Mon, 26 Apr 2021 18:29:01 +0000 (UTC) Subject: Linker failure after compilation with "enable-crypto-mdebug" References: <1451023117.1332542.1619461741890.ref@mail.yahoo.com> Message-ID: <1451023117.1332542.1619461741890@mail.yahoo.com> Hello everyone. I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the following configuration flag enable-crypto-mdebug and getting the following linker error: ? ?Creating library apps\openssl.lib and object apps\openssl.expopenssl.obj : error LNK2019: unresolved external symbol _CRYPTO_mem_leaks referenced in function _mainapps\openssl.exe : fatal error LNK1120: 1 unresolved externalsNMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE"' : return code '0x460'Stop.NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\nmake.exe"' : return code '0x2'Stop. Wasted already a few hours trying to figure out the cause for this failure. Any idea what went wrong?Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Tue Apr 27 19:49:51 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Tue, 27 Apr 2021 19:49:51 +0000 Subject: configuration options 'fips' and 'makedepend' disbled by default on master Message-ID: <017ef34527de4d38bcbe76b247d7026a@ncp-e.com> Just a short heads-up to all users testing and developing for OpenSSL 3.0: The defaults for the configuration options 'fips' and 'makepend' are going to change on the master branch soon (i.e., before the release of 3.0.0 alpha16): they will be disabled by default. If your developer workflow or your continuous integration relies on one of those options, now it's a good time to enable them explicitly by adding 'enable-fips' resp. 'enable-makedepend' to your configure arguments. Regards, Matthias disable fips: https://github.com/openssl/openssl/pull/13684/commits/b76c7c2513384013f4edd5ed39f7175adbc8aaca disable makedepend: https://github.com/openssl/openssl/pull/15050/commits/40a85b61d0b8344941b751d6e34d752a7d8e0827 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From external.schetan at jp.adit-jv.com Wed Apr 28 02:37:12 2021 From: external.schetan at jp.adit-jv.com (Chetan, Sethi (Sasken; LEADER ; ADITJ/SWG)) Date: Wed, 28 Apr 2021 02:37:12 +0000 Subject: memory leak debug options Message-ID: Hello, Currently we are seeing below 3 patterns of memory leak issue with Openssl 1.1.1i and 1.1.1k version using address santizer option as below: Direct leak of 208 byte(s) in 2 object(s) allocated from: #0 0x9ef57b in __interceptor_malloc (/usr/local/bin/autoai/custom_binary+0x9ef57b) #1 0xffffac627743 in BN_MONT_CTX_new (/usr/lib64/libcrypto.so.1.1+0xaf743) #2 0xffffac627baf in BN_MONT_CTX_set_locked (/usr/lib64/libcrypto.so.1.1+0xafbaf) #3 0xffffac6ec77b (/usr/lib64/libcrypto.so.1.1+0x17477b) rsa_ossl_public_decrypt #4 0xffffac6f0577 (/usr/lib64/libcrypto.so.1.1+0x178577) RSA_verify_ASN1_OCTET_STRING #5 0xffffac6eef1b (/usr/lib64/libcrypto.so.1.1+0x176f1b) pkey_rsa_verify #6 0xffffac6b44cf in EVP_DigestVerifyFinal (/usr/lib64/libcrypto.so.1.1+0x13c4cf) #7 0xffffac8d95c7 (/usr/lib64/libssl.so.1.1+0x515c7) tls_process_key_exchange ->EVP_DigestVerify->EVP_DigestVerifyFinal #8 0xffffac8d9b33 (/usr/lib64/libssl.so.1.1+0x51b33) ossl_statem_client_process_message #9 0xffffac8d3acb (/usr/lib64/libssl.so.1.1+0x4bacb) state_machine -> read_state_machine -> *process_change->ossl_statem_client_process_message #10 0xffffac8c01fb in SSL_do_handshake (/usr/lib64/libssl.so.1.1+0x381fb) via SSL_connect #11 0xffffac858f3b (/usr/lib64/libcurl.so.4+0x4ff3b) ossl_connect_step2 #12 0xffffac85afeb (/usr/lib64/libcurl.so.4+0x51feb) ossl_connect_common #13 0xffffac85c1ef (/usr/lib64/libcurl.so.4+0x531ef) Curl_ssl_connect_nonblocking #14 0xffffac82c96f (/usr/lib64/libcurl.so.4+0x2396f) https_connecting Indirect leak of 2064 byte(s) in 2 object(s) allocated from: #0 0x9ef57b in __interceptor_malloc (/usr/local/bin/autoai/custom_binary+0x9ef57b) #1 0xffffac6bf173 in CRYPTO_zalloc (/usr/lib64/libcrypto.so.1.1+0x147173) #2 0xffffac625fd7 (/usr/lib64/libcrypto.so.1.1+0xadfd7)bn_expand2 #3 0xffffac6262af in BN_set_bit (/usr/lib64/libcrypto.so.1.1+0xae2af) #4 0xffffac627a0b in BN_MONT_CTX_set (/usr/lib64/libcrypto.so.1.1+0xafa0b) #5 0xffffac627bc3 in BN_MONT_CTX_set_locked (/usr/lib64/libcrypto.so.1.1+0xafbc3) Indirect leak of 1536 byte(s) in 5 object(s) allocated from: #0 0x9ef57b in __interceptor_malloc (/usr/local/bin/autoai/custom_binary+0x9ef57b) #1 0xffffac6bf173 in CRYPTO_zalloc (/usr/lib64/libcrypto.so.1.1+0x147173) #2 0xffffac625fd7 (/usr/lib64/libcrypto.so.1.1+0xadfd7) bn_expand2 #3 0xffffac626143 in BN_copy (/usr/lib64/libcrypto.so.1.1+0xae143) #4 0xffffac6278a3 in BN_MONT_CTX_set (/usr/lib64/libcrypto.so.1.1+0xaf8a3) #5 0xffffac627bc3 in BN_MONT_CTX_set_locked (/usr/lib64/libcrypto.so.1.1+0xafbc3) After statical analysis we noted that the crypto_malloc and crypto_free functions are further called. In these functions we could see debug flags OPENSSL_NO_CRYPTO_MDEBUG and OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE which might provide useful information in debugging this leak issue. In this regard we have below queries:- 1. Could you please let us know how to enable/check the logs generated by above debug flags ? 2. We tried one experiment wherein we have disabled flags RSA_FLAG_CACHE_PUBLIC, RSA_FLAG_CACHE_PRIVATE from rsa_ossl_init() function and we can see that above leak does not happen. In this regards, are there any known issue/fixes available which we could try. 2. Any other suggesstion for debugging this memory leak from openssl point of view, would be welcome. Regards, Chetan -------------- next part -------------- An HTML attachment was scrubbed... URL: From michal.moravec at logicworks.cz Wed Apr 28 07:07:38 2021 From: michal.moravec at logicworks.cz (Michal Moravec) Date: Wed, 28 Apr 2021 07:07:38 +0000 Subject: PKCS7_decrypt vs RSA OAEP padding In-Reply-To: <15F2F15A-D05C-494F-90B5-732774836F9B@logicworks.cz> References: <014A6238-B9C5-498B-995B-46E3CCE2C2E3@logicworks.cz> <1FE54151-FBDB-40C5-9806-C61CF63573FE@logicworks.cz> <22B29DE6-AE3B-4E37-BEDE-122C309D8D7D@logicworks.cz> <15F2F15A-D05C-494F-90B5-732774836F9B@logicworks.cz> Message-ID: I reported the issue here -> https://github.com/openssl/openssl/issues/14927 I guess this is a final message from me. Nothing more to add. MM On 15. 4. 2021, at 17:40, Michal Moravec > wrote: VICTORY! After replacing the PEM_write_bio_PKCS7/PEM_read_bio_CMS methods for i2d_PKCS7_bio/d2i_CMS_bio https://github.com/EtneteraLogicworks/libscep/commit/b16cd6a97c979abd6ca0ab7af7a944ef553cf17d PCKS7 (In this case CMS) decryption now works! Code now looks like: handle_encrypted_content(SCEP *handle, SCEP_DATA *data, PKCS7 *p7env, X509 *dec_cert, EVP_PKEY *dec_key) { ... CMS_ContentInfo *cmsMessage = NULL; BIO *convert = NULL; conversion = BIO_new(BIO_s_mem()); i2d_PKCS7_bio(conversion, p7env); cmsEnv = d2i_CMS_bio(conversion, NULL); CMS_decrypt(cmsEnv, dec_key, dec_cert, NULL, decData, 0); MM -------------- next part -------------- An HTML attachment was scrubbed... URL: From janjust at nikhef.nl Wed Apr 28 10:51:22 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Wed, 28 Apr 2021 12:51:22 +0200 Subject: Linker failure after compilation with "enable-crypto-mdebug" In-Reply-To: <1451023117.1332542.1619461741890@mail.yahoo.com> References: <1451023117.1332542.1619461741890.ref@mail.yahoo.com> <1451023117.1332542.1619461741890@mail.yahoo.com> Message-ID: <1d971d54-f81b-141b-7dc1-01b3fbf72832@nikhef.nl> Hi, On 26/04/21 20:29, Robert Smith via openssl-users wrote: > Hello everyone. > > I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with > the following configuration flag enable-crypto-mdebug > and getting the following linker error: > > > ?Creating library apps\openssl.lib and object apps\openssl.exp > openssl.obj : error LNK2019: unresolved external symbol > _CRYPTO_mem_leaks referenced in function _main > apps\openssl.exe : fatal error LNK1120: 1 unresolved externals > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > Studio 10.0\VC\BIN\link.EXE"' : return code '0x460' > Stop. > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > Studio 10.0\VC\BIN\nmake.exe"' : return code '0x2' > Stop. > > Wasted already a few hours trying to figure out the cause for this > failure. when building and linking with "enable-crypto-mdebug" set the file "crypto/mem_dbg.o" needs to be included in the library libcrypto.a (or crypto.lib); check that this file is indeed included when creating the crypto library. For the record: a Linux build with "enable-crypto-mdebug" works fine. HTH, JJK -------------- next part -------------- An HTML attachment was scrubbed... URL: From wmk589 at yahoo.com Wed Apr 28 19:22:07 2021 From: wmk589 at yahoo.com (Robert Smith) Date: Wed, 28 Apr 2021 19:22:07 +0000 (UTC) Subject: Linker failure after compilation with "enable-crypto-mdebug" In-Reply-To: <1d971d54-f81b-141b-7dc1-01b3fbf72832@nikhef.nl> References: <1451023117.1332542.1619461741890.ref@mail.yahoo.com> <1451023117.1332542.1619461741890@mail.yahoo.com> <1d971d54-f81b-141b-7dc1-01b3fbf72832@nikhef.nl> Message-ID: <84238834.2226036.1619637727198@mail.yahoo.com> Hi Jan, Thank you for your response. Obviously the file?mem_dbg?is not included and that is why I am having this problem. The questions are: Whether the "enable-crypto-mdebug" flag supported in Windows at all? Whether this is known issue? What control do I have over Windows build (I mean how can I include or exclude certain file)? My assumption was if I have to mess with Windows build scripts, I am in the wrong direction. However I could be I wrong ... Whether the file mem_dbg?was excluded on purpose from Windows build? Robert On Wednesday, April 28, 2021, 06:51:36 AM EDT, Jan Just Keijser wrote: Hi, On 26/04/21 20:29, Robert Smith via openssl-users wrote: Hello everyone. I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the following configuration flag enable-crypto-mdebug and getting the following linker error: ? ?Creating library apps\openssl.lib and object apps\openssl.exp openssl.obj : error LNK2019: unresolved external symbol _CRYPTO_mem_leaks referenced in function _main apps\openssl.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\link.EXE"' : return code '0x460' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\nmake.exe"' : return code '0x2' Stop. Wasted already a few hours trying to figure out the cause for this failure. when building and linking with "enable-crypto-mdebug" set the file "crypto/mem_dbg.o" needs to be included in the library libcrypto.a (or crypto.lib); check that this file is indeed included when creating the crypto library. For the record: a Linux build with "enable-crypto-mdebug" works fine. HTH, JJK -------------- next part -------------- An HTML attachment was scrubbed... URL: From janjust at nikhef.nl Thu Apr 29 07:20:51 2021 From: janjust at nikhef.nl (Jan Just Keijser) Date: Thu, 29 Apr 2021 09:20:51 +0200 Subject: Linker failure after compilation with "enable-crypto-mdebug" In-Reply-To: <84238834.2226036.1619637727198@mail.yahoo.com> References: <1451023117.1332542.1619461741890.ref@mail.yahoo.com> <1451023117.1332542.1619461741890@mail.yahoo.com> <1d971d54-f81b-141b-7dc1-01b3fbf72832@nikhef.nl> <84238834.2226036.1619637727198@mail.yahoo.com> Message-ID: <86008002-7b45-576a-d533-d0fdc5c002c5@nikhef.nl> Hi, On 28/04/21 21:22, Robert Smith wrote: > Hi Jan, > > Thank you for your response. > Obviously the file mem_dbg?is not included and that is why I am having > this problem. > > The questions are: > Whether the "enable-crypto-mdebug" flag supported in Windows at all? > > Whether this is known issue? > > What control do I have over Windows build (I mean how can I include or > exclude certain file)? My assumption was if I have to mess with > Windows build scripts, I am in the wrong direction. However I could be > I wrong ... > > Whether the file mem_dbg was excluded on purpose from Windows build? there does not seem to be anything specific about mem_dbg ; I don't have Visual Studio but if I do a mingw64 build of openssl 1.1.1k with "enable-crypto-mdebug" set then it builds just fine. How did you configure openssl ? what command did you run and what build environment are you using? msys? It will also be interesting to see the output of ? perl configdata.pm --dump after you've run? the Configure script - that should tell you whether mdebug is enabled or not: ??? crypto-mdebug?????????? [default] OPENSSL_NO_CRYPTO_MDEBUG is the default. HTH, JJK > On Wednesday, April 28, 2021, 06:51:36 AM EDT, Jan Just Keijser > wrote: > > > Hi, > > On 26/04/21 20:29, Robert Smith via openssl-users wrote: > Hello everyone. > > I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with > the following configuration flag enable-crypto-mdebug > and getting the following linker error: > > > ?Creating library apps\openssl.lib and object apps\openssl.exp > openssl.obj : error LNK2019: unresolved external symbol > _CRYPTO_mem_leaks referenced in function _main > apps\openssl.exe : fatal error LNK1120: 1 unresolved externals > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > Studio 10.0\VC\BIN\link.EXE"' : return code '0x460' > Stop. > NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual > Studio 10.0\VC\BIN\nmake.exe"' : return code '0x2' > Stop. > > Wasted already a few hours trying to figure out the cause for this > failure. > > > when building and linking with "enable-crypto-mdebug" set the file > "crypto/mem_dbg.o" needs to be included in the library libcrypto.a (or > crypto.lib); check that this file is indeed included when creating the > crypto library. > > For the record: a Linux build with "enable-crypto-mdebug" works fine. > > HTH, > > JJK > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Thu Apr 29 09:49:20 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Thu, 29 Apr 2021 09:49:20 +0000 Subject: configuration options 'fips' and 'makedepend' disabled by default on master Message-ID: <268c8016dbb04e5faf475226548d27b5@ncp-e.com> The 'fips' option is now disabled by default. For the 'makedepend' option, several people raised concerns whether the disadvantages of disabling it wouldn't outweigh the performance gain at build time, see discussion in pull request #15050. So I decided to drop pull request, the 'makedepend' option remains enabled by default. Matthias https://github.com/openssl/openssl/pull/15050 > -----Original Message----- > From: openssl-users On Behalf Of Dr. Matthias St. Pierre > Sent: Tuesday, April 27, 2021 9:50 PM > To: openssl-users at openssl.org > Subject: configuration options 'fips' and 'makedepend' disbled by default on master > > Just a short heads-up to all users testing and developing for OpenSSL 3.0: > > The defaults for the configuration options 'fips' and 'makepend' are going to change on the master branch soon > (i.e., before the release of 3.0.0 alpha16): they will be disabled by default. > > If your developer workflow or your continuous integration relies on one of those options, now it's a good time > to enable them explicitly by adding 'enable-fips' resp. 'enable-makedepend' to your configure arguments. > > Regards, > Matthias > > > disable fips: https://github.com/openssl/openssl/pull/13684/commits/b76c7c2513384013f4edd5ed39f7175adbc8aaca > disable makedepend: https://github.com/openssl/openssl/pull/15050/commits/40a85b61d0b8344941b751d6e34d752a7d8e0827 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From mahendra.sp at gmail.com Thu Apr 29 11:50:03 2021 From: mahendra.sp at gmail.com (Mahendra SP) Date: Thu, 29 Apr 2021 17:20:03 +0530 Subject: Load and unload of engines at runtime Message-ID: Hi All, We have crypto engines for offloading operations like RSA, digests and ciphers, hmac etc. We are looking at a way to load and unload engines at run time. This is needed as we need to use the engine when needed for crypto operations. Else we plan to use openssl for the same. We tried, -> unregister calls like ENGINE_unregister_XXX calls to force redirection to openssl -> Again, ENGINE_register_XXX to redirect to engine. However, the above methods are not helping. Please suggest a way to achieve the above requirement. Thanks Mahendra -------------- next part -------------- An HTML attachment was scrubbed... URL: From joe at cryptosecuregroup.com Thu Apr 29 14:04:23 2021 From: joe at cryptosecuregroup.com (Joe Eremita) Date: Thu, 29 Apr 2021 10:04:23 -0400 Subject: Creating a CSR using OpenSSL v1.1.1 Message-ID: Hello all, I am developing a library that uses an HSM, and I need to create a CSR to send to the CA. I have some examples using the X509_REQ to set the public key and attributes. I 've also seen examples of signing the CSR, which finds the req_info that is needed to sign the CSR: EVP_PKEY_assign_RSA( pkey , rsa ); X509_REQ_set_pubkey(req, pkey); subj=X509_REQ_get_subject_name(req); X509_NAME_add_entry_by_txt(subj,"C", MBSTRING_ASC, (unsigned char *)"SK", -1, -1, 0); X509_NAME_add_entry_by_txt(subj,"CN", MBSTRING_ASC, (unsigned char *)"Test", -1, -1, 0); int datasig_len; unsigned char *tobesigned; * datasig_len = i2d_X509_REQ_INFO( req->req_info, NULL );* When I compile the last line, I get the error: error: 'invalid use of incomplete type ?X509_REQ {aka struct X509_req_st}' I have discovered that the header x509.h obfuscates the type 'req_info', and upon further research, I also found that this type was eliminated since v1.1.0 of OpenSSL. Does anyone know of an alternative to accessing the 'req_info' element, or another way I can access the info I need to sign? Thanks for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Thu Apr 29 14:15:39 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Apr 2021 15:15:39 +0100 Subject: Creating a CSR using OpenSSL v1.1.1 In-Reply-To: References: Message-ID: <979bd99b-d71b-8f7a-58ce-09519c65f50c@openssl.org> On 29/04/2021 15:04, Joe Eremita wrote: > datasig_len = i2d_X509_REQ_INFO( req->req_info, NULL ); You can achieve this by instead doing: datasig_len = i2d_re_X509_REQ_tbs(req, NULL); See: https://www.openssl.org/docs/man1.1.1/man3/i2d_re_X509_REQ_tbs.html Matt From joe at cryptosecuregroup.com Thu Apr 29 21:00:21 2021 From: joe at cryptosecuregroup.com (Joe Eremita) Date: Thu, 29 Apr 2021 17:00:21 -0400 Subject: Creating a CSR using OpenSSL v1.1.1 In-Reply-To: <979bd99b-d71b-8f7a-58ce-09519c65f50c@openssl.org> References: <979bd99b-d71b-8f7a-58ce-09519c65f50c@openssl.org> Message-ID: Hi Matt, Thanks so much for your response. Now I see what the 'tbs' acronym is for! I do have another question: this regards setting the signature in the signature element of the request. I figured out how to make an ECDSA_SIG object using the r and s components of the ECDSA signature, however I do not see any way to for converting it to an ANSI_BIT_STRING type. Is there a method or process for performing this? Thanks Again, Joe On Thu, Apr 29, 2021 at 10:15 AM Matt Caswell wrote: > > > On 29/04/2021 15:04, Joe Eremita wrote: > > datasig_len = i2d_X509_REQ_INFO( req->req_info, NULL ); > > You can achieve this by instead doing: > > datasig_len = i2d_re_X509_REQ_tbs(req, NULL); > > See: > > https://www.openssl.org/docs/man1.1.1/man3/i2d_re_X509_REQ_tbs.html > > Matt > -------------- next part -------------- An HTML attachment was scrubbed... URL: From venkateswara.rao at i-exceed.com Fri Apr 30 10:18:30 2021 From: venkateswara.rao at i-exceed.com (K V Rao) Date: Fri, 30 Apr 2021 15:48:30 +0530 Subject: Request Assistance::No X509TrustManager implementation available Message-ID: <0d1e01d73daa$2cd35120$8679f360$@i-exceed.com> Dear Sir/Madam, Greetings for the day! We have provided an application which invokes https URL. App server used is TOMCAT. The team who administers the application installed certificates under CACERTS. The certificate is available in a .JKS file. Now the application works well for some days. After few days we get the error "No X509TrustManager implementation available". When JVM is restarted it again works. Exception captured by application is following ? Error = javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available Exception printed after enabling SSL debug is the following. Algorithm: [SHA256withRSA] Signature: 0000: 77 7C 68 19 57 39 A2 72 97 D3 73 BF 03 88 24 C4 w.h.W9.r..s...$. 0010: 96 B0 52 87 64 D0 A1 4C C5 B5 6B 9A 41 CA 0B BE ..R.d..L..k.A... 0020: 43 8A D5 AE 09 6D 54 3A 10 58 1D 40 53 4E A7 CA C....mT:.X. at SN.. 0030: 48 2E 6C FE ED 99 16 96 99 9F AD E8 F8 BE E7 F0 H.l............. 0040: A0 42 ED 62 29 A0 AB A4 26 B3 16 1D BF BE 9B 7A .B.b)...&......z 0050: EE F2 DB 6A DE C9 9B C5 7F DA 06 CF 9F 64 9D E4 ...j.........d.. 0060: 0C 5D 2E 1D 10 F5 F9 7D 05 89 0A B3 F3 72 B9 0B .]...........r.. 0070: 39 15 19 8A 5E 57 6A 1F 5C E7 F9 D7 29 42 15 AA 9...^Wj.\...)B.. 0080: CD EA BA F2 71 B7 EB B8 F6 D7 A7 60 34 0C FF FA ....q......`4... 0090: 5D DD 49 45 B5 23 60 4F E4 E3 09 A9 EF DF CD 41 ].IE.#`O.......A 00A0: EA B8 75 23 5B 82 D7 B6 3E 17 1F 45 30 6F CE CF ..u#[...>..E0o.. 00B0: 55 E5 6A 65 C9 C1 5C 19 5F B0 98 66 F9 17 71 A9 U.je..\._..f..q. 00C0: 38 92 29 57 19 3F 2B B6 8F 58 8B B5 3E 94 23 E3 8.)W.?+..X..>.#. 00D0: 76 D3 40 8B F7 93 4F 64 2D 8B 62 EF C2 D1 1F B5 v. at ...Od-.b..... 00E0: 02 94 7B 94 D7 2B D6 84 08 5C B0 0E EC 4C 51 E2 .....+...\...LQ. 00F0: AD 09 5A 1F 87 A0 30 E4 BF 28 E8 D7 1F DB 27 3B ..Z...0..(....'; ] *** %% Invalidated: [Session-14627, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] Thread-9622, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown Thread-9622, WRITE: TLSv1.2 Alert, length = 2 [Raw write]: length = 7 0000: 15 03 03 00 02 02 2E ....... Thread-9622, called closeSocket() Thread-9622, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available When JVM is restarted, and users perform transaction, the application receives success message and debug captured is the following. Algorithm: [SHA256withRSA] Signature: 0000: 77 7C 68 19 57 39 A2 72 97 D3 73 BF 03 88 24 C4 w.h.W9.r..s...$. 0010: 96 B0 52 87 64 D0 A1 4C C5 B5 6B 9A 41 CA 0B BE ..R.d..L..k.A... 0020: 43 8A D5 AE 09 6D 54 3A 10 58 1D 40 53 4E A7 CA C....mT:.X. at SN.. 0030: 48 2E 6C FE ED 99 16 96 99 9F AD E8 F8 BE E7 F0 H.l............. 0040: A0 42 ED 62 29 A0 AB A4 26 B3 16 1D BF BE 9B 7A .B.b)...&......z 0050: EE F2 DB 6A DE C9 9B C5 7F DA 06 CF 9F 64 9D E4 ...j.........d.. 0060: 0C 5D 2E 1D 10 F5 F9 7D 05 89 0A B3 F3 72 B9 0B .]...........r.. 0070: 39 15 19 8A 5E 57 6A 1F 5C E7 F9 D7 29 42 15 AA 9...^Wj.\...)B.. 0080: CD EA BA F2 71 B7 EB B8 F6 D7 A7 60 34 0C FF FA ....q......`4... 0090: 5D DD 49 45 B5 23 60 4F E4 E3 09 A9 EF DF CD 41 ].IE.#`O.......A 00A0: EA B8 75 23 5B 82 D7 B6 3E 17 1F 45 30 6F CE CF ..u#[...>..E0o.. 00B0: 55 E5 6A 65 C9 C1 5C 19 5F B0 98 66 F9 17 71 A9 U.je..\._..f..q. 00C0: 38 92 29 57 19 3F 2B B6 8F 58 8B B5 3E 94 23 E3 8.)W.?+..X..>.#. 00D0: 76 D3 40 8B F7 93 4F 64 2D 8B 62 EF C2 D1 1F B5 v. at ...Od-.b..... 00E0: 02 94 7B 94 D7 2B D6 84 08 5C B0 0E EC 4C 51 E2 .....+...\...LQ. 00F0: AD 09 5A 1F 87 A0 30 E4 BF 28 E8 D7 1F DB 27 3B ..Z...0..(....'; ] *** Found trusted certificate: So we are not able to figure out if there is an issue with certificate or key store or certificate chain. Any guidance/assistance in this regard to address the issue will be highly appreciated. Please revert in case you need any additional details/information to provide guidance. Thank you in advance. Regards, Rao KV -- *Disclaimer* This e-mail and the attachments thereto contain confidential information and are intended only for the individual to whom it is addressed. If you are not the intended addressee, then you are hereby notified that dissemination, distribution, disclosure, copying or taking any action in reliance on the contents, of this email and/or its attachments are strictly prohibited and shall entail legal consequences. You are requested to notify the sender immediately by return e-mail that you have received this e-mail by mistake and delete this e-mail from your system. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of i-exceed. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of the e-mail transmission. i-exceed technology solutions, www.i-exceed.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From markhack at markhack.com Fri Apr 30 14:11:01 2021 From: markhack at markhack.com (Mark Hack) Date: Fri, 30 Apr 2021 09:11:01 -0500 Subject: Request Assistance::No X509TrustManager implementation available In-Reply-To: <0d1e01d73daa$2cd35120$8679f360$@i-exceed.com> References: <0d1e01d73daa$2cd35120$8679f360$@i-exceed.com> Message-ID: <757f12bff921ec1225c343c9dfb2cf13033fe758.camel@markhack.com> This is a Java error and not an openSSL error. This will be thrown if the application did not specify a valid X509 Trust Manager for the SSLContext. On Fri, 2021-04-30 at 15:48 +0530, K V Rao via openssl-users wrote: No X509TrustManager implementation available -------------- next part -------------- An HTML attachment was scrubbed... URL: From abaci.mjm at gmail.com Fri Apr 30 22:31:43 2021 From: abaci.mjm at gmail.com (Michael Mueller) Date: Fri, 30 Apr 2021 18:31:43 -0400 Subject: openssl windows compile: VS2012 Pro vs VS2019 Community Message-ID: Compile on Openssl 1.1.1k on W2008R2 with VS2019 Community was successful. Compile of my app that uses openssl dlls on the same platform was successful. "openssl.exe version" works correctly Running my app I get "No OPENSSL_Applink" This is new since running VS2019 compiled binaries. I included ms\applink.c in the source list and recompiled my app. Working now. Anyone have insight why applink.c is needed with VS2019 Community compile and not a VS2012 Pro compile? Should all MS apps linking the openssl dlls always have applink.c to the sources? Thanks for reading. Mike