[openssl-dev] Changing malloc/debug stuff
I want to change the memory alloc/debug things. Right now there are several undocumented functions to allow you to swap-out the malloc/realloc/free routines, wrappers that call those routines, debug versions of those wrappers, and functions to set the set-options versions of those functions. Yes, really :) Is anyone using that stuff? I want to change the model so that there are three wrappers around malloc/realloc/free, and that the only thing you can do is change that wrapper. This is vastly simpler and easier to understand. I also documented it. A version can be found at https://github.com/openssl/openssl/pull/450 I've posted about this before. But I'm asking again if this kind of change will cause problems for anyone. Thanks. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4176] Add support for async jobs in OpenSSL speed
Hi! I have just pushed an updated version of the patch that addresses the comments of the pull request: https://github.com/openssl/openssl/pull/501 Regards, Andrea -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Grandi, Andrea via RT Sent: Thursday, December 10, 2015 2:47 PM Cc: openssl-dev@openssl.org Subject: [openssl-dev] [openssl.org #4176] Add support for async jobs in OpenSSL speed Hi! This pull request adds support for async jobs in OpenSSL speed: https://github.com/openssl/openssl/pull/501 Summary of the changes: * Move the calls to the crypto operations inside wrapper functions. This is required because ASYNC_start_job() takes a function as an argument. * Add new function run_benchmark() that manages the jobs for all the operations. In the POSIX case it uses a select() to receive the events from the engine and resume the jobs that are paused, while in the WIN case it uses PeekNamedPipe() * Add new option argument async_jobs to enable and specify the number of async jobs Example: openssl speed -engine dasync -elapsed -async_jobs 32 rsa2048 Regards, Andrea Grandi -- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff
On Thu, Dec 17, 2015 at 09:28:28AM +, Salz, Rich wrote: > I want to change the model so that there are three wrappers around > malloc/realloc/free, and that the only thing you can do is change that > wrapper. This is vastly simpler and easier to understand. I also > documented it. A version can be found at > https://github.com/openssl/openssl/pull/450 > > I've posted about this before. But I'm asking again if this kind of change > will cause problems for anyone. Does CRYPTO_mem_leaks(bio_err) continue to work after the change? It is used in the test-suite and is fairly useful for that. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff
> Does CRYPTO_mem_leaks(bio_err) continue to work after the change? > It is used in the test-suite and is fairly useful for that. Yes it does! ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4185] Bug in EVP_MD_CTX_copy_ex's malloc failure handling
On Wed, Dec 16, 2015 at 11:34:56PM +, David Benjamin via RT wrote: > EVP_MD_CTX_copy_ex is implemented with memcpy, followed by manually fixing > up |out->pctx| and |out->md_data|. > > https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/digest.c;h=5da0e01039a6da039942db9f1bf8b70753f509f2;hb=HEAD#l292 > > If allocating |out->md_data| fails, then both |out->pctx| and |in->pctx| > may point to the same EVP_PKEY_CTX and freeing |out| will cause problems. > > We fixed this by not using memcpy. > https://boringssl.googlesource.com/boringssl/+/306ece31bcaaed49e0240a2ef8901ebb2d45%5E%21/crypto/digest/digest.c This patch won't apply as is since we have more fields (engine, flags). We also don't have pctx_ops, but have update instead, but already seem to copy that anyway. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff
> > https://github.com/openssl/openssl/pull/450 > > This seems much more sane. I'll settle for less insane :) ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). This works: $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out ~/src/wtls-verifier engine "pkcs11" set. $ pkcs15-tool --read-public-key 02 -o 02.pem Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID Please enter PIN [PIV Card Holder pin]: $ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier Verified OK $ But this doesn’t: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ And this one doesn’t either: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e 6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file Is it a bug, or what am I doing wrong? Thanks! -- Regards, Uri Blumenthal On 12/10/15, 17:17 , "openssl-dev on behalf of Blumenthal, Uri - 0553 - MITLL"wrote: >On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson" > wrote: > Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL >>> >in pkeyutl.c >>> >>> With your proposed (temporary) fix, the signature both generated and >>> verified successfully (see below). Could I ask to push this fix to the >>> master, and maybe/hopefully to 1_0_2 branch? >>> >> >>As I indicated the fix I suggested it temporary. Sometimes a user will >>want that behaviour so we'd need a new command line option indicating the >>private key engine only. > >Ideally engine_pkcs11 should do it automatically, but I see your point. >Perhaps the code in pkeyutl.c could check if (a) engine is set, and (b) >the engine is PKCS11? And if so - automatically do the right thing? Do you >envision other engines with similar needs? My assumption was that the only >engine that talks to smart cards is pkcs11... > >In the meanwhile, in your opinion should rsautl need a similar patch, or >would it work out of box, like dgst did? > >Thank you! smime.p7s Description: S/MIME cryptographic signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff
On Thu, Dec 17, 2015 at 08:16:50PM +, Salz, Rich wrote: > > > https://github.com/openssl/openssl/pull/450 > > > > This seems much more sane. > > I'll settle for less insane :) That is, I think, the best you can do. Some allocations might have taken place by the time a wrapper or alternative allocator is installed, in which case something bad will happen. In the case of alternative allocators the something bad is "it blows up", while in the case of a wrapper the something bad is "some state/whatever will be off". A fully sane approach would be to have every allocated object internally point to its destructor, and then always destroy by calling that destructor instead of a global one. (Or call a global one that knows how to find the object's private destructor pointer, and then calls that.) If you wish, something more OO-ish. But for many allocations that's not possible because they aren't "objects" in the sense that matters. You could always wrap allocations so that they always have room at the front for the corresponding destructor, then return the offset of the end of that pointer, but this will be very heavy-duty for many allocations. So, all in all, I like and prefer your approach. Nico -- ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4185] Bug in EVP_MD_CTX_copy_ex's malloc failure handling
On Thu, Dec 17, 2015 at 2:43 PM Kurt Roeckx via RTwrote: > On Wed, Dec 16, 2015 at 11:34:56PM +, David Benjamin via RT wrote: > > EVP_MD_CTX_copy_ex is implemented with memcpy, followed by manually > fixing > > up |out->pctx| and |out->md_data|. > > > > > https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/digest.c;h=5da0e01039a6da039942db9f1bf8b70753f509f2;hb=HEAD#l292 > > > > If allocating |out->md_data| fails, then both |out->pctx| and |in->pctx| > > may point to the same EVP_PKEY_CTX and freeing |out| will cause problems. > > > > We fixed this by not using memcpy. > > > https://boringssl.googlesource.com/boringssl/+/306ece31bcaaed49e0240a2ef8901ebb2d45%5E%21/crypto/digest/digest.c > > This patch won't apply as is since we have more fields (engine, > flags). > > We also don't have pctx_ops, but have update instead, but already > seem to copy that anyway. > Right, we've diverged enough at this point that patches not applying as-is is the norm. :-) That was meant as a reference, but someone will need to do the equivalent change in OpenSSL if you all like the approach. David ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff
On Thu, Dec 17, 2015 at 09:28:28AM +, Salz, Rich wrote: > I want to change the memory alloc/debug things. > > Right now there are several undocumented functions to allow you to > swap-out the malloc/realloc/free routines, wrappers that call those > routines, debug versions of those wrappers, and functions to set the > set-options versions of those functions. Yes, really :) Is anyone > using that stuff? This is another one of those things that isn't easy to deal with sanely the way OpenSSL is actually used (i.e., by other libraries as well as by apps). > I want to change the model so that there are three wrappers around > malloc/realloc/free, and that the only thing you can do is change that > wrapper. This is vastly simpler and easier to understand. I also > documented it. A version can be found at > https://github.com/openssl/openssl/pull/450 This seems much more sane. Nico -- ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4185] Bug in EVP_MD_CTX_copy_ex's malloc failure handling
Considering we just had a substantial change in digest.c et al, inspiration is the way to go. I figured that these two lines after the first memcpy() would be good enough, as those are the variables that get populated afterward: out->md_data = NULL; out->pctx = NULL; Cheers, Richard Vid Thu, 17 Dec 2015 kl. 19.58.49, skrev david...@google.com: > On Thu, Dec 17, 2015 at 2:43 PM Kurt Roeckx via RT> wrote: > > > On Wed, Dec 16, 2015 at 11:34:56PM +, David Benjamin via RT > > wrote: > > > EVP_MD_CTX_copy_ex is implemented with memcpy, followed by manually > > fixing > > > up |out->pctx| and |out->md_data|. > > > > > > > > https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/digest.c;h=5da0e01039a6da039942db9f1bf8b70753f509f2;hb=HEAD#l292 > > > > > > If allocating |out->md_data| fails, then both |out->pctx| and |in- > > > >pctx| > > > may point to the same EVP_PKEY_CTX and freeing |out| will cause > > > problems. > > > > > > We fixed this by not using memcpy. > > > > > https://boringssl.googlesource.com/boringssl/+/306ece31bcaaed49e0240a2ef8901ebb2d45%5E%21/crypto/digest/digest.c > > > > This patch won't apply as is since we have more fields (engine, > > flags). > > > > We also don't have pctx_ops, but have update instead, but already > > seem to copy that anyway. > > > > Right, we've diverged enough at this point that patches not applying > as-is > is the norm. :-) That was meant as a reference, but someone will need > to do > the equivalent change in OpenSSL if you all like the approach. > > David -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
"The key ID is not a valid PKCS#11 URI as defined by" comes from the OpenSC engine code in ./engine_pkcs11.c looks like type or object-type= will be ignored, but must be cert or private, but if its not, rv may not be set correctly: 486 } else if (!strncmp(p, "type=", 5) || !strncmp(p, "object-type=", 12)) { 487 p = strchr(p, '=') + 1; 488 489 if ((end - p == 4 && !strncmp(p, "cert", 4)) || 490 (end - p == 7 && !strncmp(p, "private", 7))) { 491 /* Actually, just ignore it */ 492 } else 493 rv = 0; Try removing the "object-type=public" in your tests. On 12/17/2015 4:06 PM, Blumenthal, Uri - 0553 - MITLL wrote: I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :). This works: $ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out ~/src/wtls-verifier engine "pkcs11" set. $ pkcs15-tool --read-public-key 02 -o 02.pem Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID Please enter PIN [PIV Card Holder pin]: $ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier Verified OK $ But this doesn’t: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ And this one doesn’t either: $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e 6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file $ openssl dgst -engine pkcs11 -keyform engine -verify "pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier engine "pkcs11" set. The key ID is not a valid PKCS#11 URI as defined by RFC7512. PKCS11_load_public_key returned NULL unable to load key file Is it a bug, or what am I doing wrong? Thanks! ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Douglas E. Engert___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev