[openssl-dev] Changing malloc/debug stuff

[Salz, Rich]

I want to change the memory alloc/debug things.

Right now there are several undocumented functions to allow you to swap-out the 
malloc/realloc/free routines, wrappers that call those routines, debug versions 
of those wrappers, and functions to set the set-options versions of those 
functions.  Yes, really :)  Is anyone using that stuff?

I want to change the model so that there are three wrappers around 
malloc/realloc/free, and that the only thing you can do is change that wrapper. 
 This is vastly simpler and easier to understand.  I also documented it.  A 
version can be found at https://github.com/openssl/openssl/pull/450

I've posted about this before.  But I'm asking again if this kind of change 
will cause problems for anyone.

Thanks.

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4176] Add support for async jobs in OpenSSL speed

[Grandi, Andrea]

Hi!

I have just pushed an updated version of the patch that addresses the comments 
of the pull request:
https://github.com/openssl/openssl/pull/501

Regards,
Andrea

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Grandi, 
Andrea via RT
Sent: Thursday, December 10, 2015 2:47 PM
Cc: openssl-dev@openssl.org
Subject: [openssl-dev] [openssl.org #4176] Add support for async jobs in 
OpenSSL speed

Hi!

This pull request adds support for async jobs in OpenSSL speed:
https://github.com/openssl/openssl/pull/501


Summary of the changes:

  *   Move the calls to the crypto operations inside wrapper functions.
This is required because ASYNC_start_job() takes a function as an argument.


  *   Add new function run_benchmark() that manages the jobs for all the 
operations.
In the POSIX case it uses a select() to receive the events from the engine and 
resume the jobs that are paused, while in the WIN case it uses PeekNamedPipe()


  *   Add new option argument async_jobs to enable and specify the number of 
async jobs

Example:

openssl speed -engine dasync -elapsed -async_jobs 32 rsa2048


Regards,
Andrea Grandi
--
Intel Research and Development Ireland Limited Registered in Ireland Registered 
Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 
308263


This e-mail and any attachments may contain confidential material for the sole 
use of the intended recipient(s). Any review or distribution by others is 
strictly prohibited. If you are not the intended recipient, please contact the 
sender and delete all copies.

--
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff

[Viktor Dukhovni]

On Thu, Dec 17, 2015 at 09:28:28AM +, Salz, Rich wrote:

> I want to change the model so that there are three wrappers around
> malloc/realloc/free, and that the only thing you can do is change that
> wrapper.  This is vastly simpler and easier to understand.  I also
> documented it.  A version can be found at
> https://github.com/openssl/openssl/pull/450
> 
> I've posted about this before.  But I'm asking again if this kind of change 
> will cause problems for anyone.

Does CRYPTO_mem_leaks(bio_err) continue to work after the change?
It is used in the test-suite and is fairly useful for that.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff

[Salz, Rich]

 
> Does CRYPTO_mem_leaks(bio_err) continue to work after the change?
> It is used in the test-suite and is fairly useful for that.

Yes it does!
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4185] Bug in EVP_MD_CTX_copy_ex's malloc failure handling

[Kurt Roeckx via RT]

On Wed, Dec 16, 2015 at 11:34:56PM +, David Benjamin via RT wrote:
> EVP_MD_CTX_copy_ex is implemented with memcpy, followed by manually fixing
> up |out->pctx| and |out->md_data|.
> 
> https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/digest.c;h=5da0e01039a6da039942db9f1bf8b70753f509f2;hb=HEAD#l292
> 
> If allocating |out->md_data| fails, then both |out->pctx| and |in->pctx|
> may point to the same EVP_PKEY_CTX and freeing |out| will cause problems.
> 
> We fixed this by not using memcpy.
> https://boringssl.googlesource.com/boringssl/+/306ece31bcaaed49e0240a2ef8901ebb2d45%5E%21/crypto/digest/digest.c

This patch won't apply as is since we have more fields (engine,
flags).

We also don't have pctx_ops, but have update instead, but already
seem to copy that anyway.


Kurt


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff

[Salz, Rich]

> > https://github.com/openssl/openssl/pull/450
> 
> This seems much more sane.

I'll settle for less insane :)

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

[Blumenthal, Uri - 0553 - MITLL]

I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :).

This works:

$ openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
$ pkcs15-tool --read-public-key 02 -o 02.pem
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
Please enter PIN [PIV Card Holder pin]:
$ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
Verified OK
$


But this doesn’t:

$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file
$ 



And this one doesn’t either:

$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e
6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub
key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt
rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file


$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file


Is it a bug, or what am I doing wrong?

Thanks!
-- 
Regards,
Uri Blumenthal



On 12/10/15, 17:17 , "openssl-dev on behalf of Blumenthal, Uri - 0553 -
MITLL"  wrote:
>On 12/10/15, 16:56 , "openssl-dev on behalf of Dr. Stephen Henson"
> wrote:
>
Temporary fix is to set the second argument in EVP_PKEY_CTX_new to NULL
>>> >in pkeyutl.c
>>> 
>>> With your proposed (temporary) fix, the signature both generated and
>>> verified successfully (see below). Could I ask to push this fix to the
>>> master, and maybe/hopefully to 1_0_2 branch?
>>> 
>>
>>As I indicated the fix I suggested it temporary. Sometimes a user will
>>want that behaviour so we'd need a new command line option indicating the
>>private key engine only.
>
>Ideally engine_pkcs11 should do it automatically, but I see your point.
>Perhaps the code in pkeyutl.c could check if (a) engine is set, and (b)
>the engine is PKCS11? And if so - automatically do the right thing? Do you
>envision other engines with similar needs? My assumption was that the only
>engine that talks to smart cards is pkcs11...
>
>In the meanwhile, in your opinion should rsautl need a similar patch, or
>would it work out of box, like dgst did?
>
>Thank you!


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff

[Nico Williams]

On Thu, Dec 17, 2015 at 08:16:50PM +, Salz, Rich wrote:
> > > https://github.com/openssl/openssl/pull/450
> > 
> > This seems much more sane.
> 
> I'll settle for less insane :)

That is, I think, the best you can do.  Some allocations might have
taken place by the time a wrapper or alternative allocator is
installed, in which case something bad will happen.  In the case of
alternative allocators the something bad is "it blows up", while in the
case of a wrapper the something bad is "some state/whatever will be
off".

A fully sane approach would be to have every allocated object internally
point to its destructor, and then always destroy by calling that
destructor instead of a global one.  (Or call a global one that knows
how to find the object's private destructor pointer, and then calls
that.)  If you wish, something more OO-ish.  But for many allocations
that's not possible because they aren't "objects" in the sense that
matters.  You could always wrap allocations so that they always have
room at the front for the corresponding destructor, then return the
offset of the end of that pointer, but this will be very heavy-duty for
many allocations.  So, all in all, I like and prefer your approach.

Nico
-- 
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4185] Bug in EVP_MD_CTX_copy_ex's malloc failure handling

[David Benjamin via RT]

On Thu, Dec 17, 2015 at 2:43 PM Kurt Roeckx via RT  wrote:

> On Wed, Dec 16, 2015 at 11:34:56PM +, David Benjamin via RT wrote:
> > EVP_MD_CTX_copy_ex is implemented with memcpy, followed by manually
> fixing
> > up |out->pctx| and |out->md_data|.
> >
> >
> https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/digest.c;h=5da0e01039a6da039942db9f1bf8b70753f509f2;hb=HEAD#l292
> >
> > If allocating |out->md_data| fails, then both |out->pctx| and |in->pctx|
> > may point to the same EVP_PKEY_CTX and freeing |out| will cause problems.
> >
> > We fixed this by not using memcpy.
> >
> https://boringssl.googlesource.com/boringssl/+/306ece31bcaaed49e0240a2ef8901ebb2d45%5E%21/crypto/digest/digest.c
>
> This patch won't apply as is since we have more fields (engine,
> flags).
>
> We also don't have pctx_ops, but have update instead, but already
> seem to copy that anyway.
>

Right, we've diverged enough at this point that patches not applying as-is
is the norm. :-) That was meant as a reference, but someone will need to do
the equivalent change in OpenSSL if you all like the approach.

David

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl-users] Changing malloc/debug stuff

[Nico Williams]

On Thu, Dec 17, 2015 at 09:28:28AM +, Salz, Rich wrote:
> I want to change the memory alloc/debug things.
> 
> Right now there are several undocumented functions to allow you to
> swap-out the malloc/realloc/free routines, wrappers that call those
> routines, debug versions of those wrappers, and functions to set the
> set-options versions of those functions.  Yes, really :)  Is anyone
> using that stuff?

This is another one of those things that isn't easy to deal with sanely
the way OpenSSL is actually used (i.e., by other libraries as well as by
apps).

> I want to change the model so that there are three wrappers around
> malloc/realloc/free, and that the only thing you can do is change that
> wrapper.  This is vastly simpler and easier to understand.  I also
> documented it.  A version can be found at
> https://github.com/openssl/openssl/pull/450

This seems much more sane.

Nico
-- 
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4185] Bug in EVP_MD_CTX_copy_ex's malloc failure handling

[Richard Levitte via RT]

Considering we just had a substantial change in digest.c et al, inspiration is
the way to go. I figured that these two lines after the first memcpy() would be
good enough, as those are the variables that get populated afterward:

out->md_data = NULL; out->pctx = NULL;
Cheers,
Richard
Vid Thu, 17 Dec 2015 kl. 19.58.49, skrev david...@google.com:
> On Thu, Dec 17, 2015 at 2:43 PM Kurt Roeckx via RT 
> wrote:
>
> > On Wed, Dec 16, 2015 at 11:34:56PM +, David Benjamin via RT
> > wrote:
> > > EVP_MD_CTX_copy_ex is implemented with memcpy, followed by manually
> > fixing
> > > up |out->pctx| and |out->md_data|.
> > >
> > >
> >
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/digest.c;h=5da0e01039a6da039942db9f1bf8b70753f509f2;hb=HEAD#l292
> > >
> > > If allocating |out->md_data| fails, then both |out->pctx| and |in-
> > > >pctx|
> > > may point to the same EVP_PKEY_CTX and freeing |out| will cause
> > > problems.
> > >
> > > We fixed this by not using memcpy.
> > >
> >
https://boringssl.googlesource.com/boringssl/+/306ece31bcaaed49e0240a2ef8901ebb2d45%5E%21/crypto/digest/digest.c
> >
> > This patch won't apply as is since we have more fields (engine,
> > flags).
> >
> > We also don't have pctx_ops, but have update instead, but already
> > seem to copy that anyway.
> >
>
> Right, we've diverged enough at this point that patches not applying
> as-is
> is the norm. :-) That was meant as a reference, but someone will need
> to do
> the equivalent change in OpenSSL if you all like the approach.
>
> David


--
Richard Levitte
levi...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

[Douglas E Engert]

  
  
"The key ID is not a valid PKCS#11 URI as defined by"
comes from the OpenSC  engine code in ./engine_pkcs11.c

looks like type or object-type=  will be ignored, but must be cert
or private, but if its not, rv may not be set correctly:

 486 } else if (!strncmp(p, "type=", 5) ||
!strncmp(p, "object-type=", 12)) {
 487 p = strchr(p, '=') + 1;
 488 
 489 if ((end - p == 4 &&
!strncmp(p, "cert", 4)) ||
 490 (end - p == 7 &&
!strncmp(p, "private", 7))) {
 491 /* Actually, just ignore it */
 492 } else
 493 rv = 0;

Try removing the "object-type=public" in your tests. 


On 12/17/2015 4:06 PM, Blumenthal, Uri
  - 0553 - MITLL wrote:


  I’m playing with RSA-PSS and PKCS11 engine (in OpenSSL, of course :).

This works:

$ openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=SIGN%20key;object-type=private;pin-value=123456" -sha256
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
$ pkcs15-tool --read-public-key 02 -o 02.pem
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
Please enter PIN [PIV Card Holder pin]:
$ openssl dgst -keyform PEM -verify 02.pem -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
Verified OK
$


But this doesn’t:

$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file
$ 



And this one doesn’t either:

$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6d87283aaed2e
6a5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20pub
key;object-type=public" -sha256 -sigopt rsa_padding_mode:pss -sigopt
rsa_pss_saltlen:-1 -signature sig1.out ~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file


$ openssl dgst -engine pkcs11 -keyform engine -verify
"pkcs11:object=SIGN%20pubkey;type=public" -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature sig1.out
~/src/wtls-verifier
engine "pkcs11" set.
The key ID is not a valid PKCS#11 URI as defined by
RFC7512.
PKCS11_load_public_key returned NULL
unable to load key file


Is it a bug, or what am I doing wrong?

Thanks!

  
  
  
  ___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



-- 

 Douglas E. Engert  
 

  

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev