Re: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published
Hi, I am sorry, but because of the relocation of the header files the 1.1.0 does not build on OpenVMS. Please, allow some time to fix the OpenVMS build scripts. Thank you. Regards, Z -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of OpenSSL Sent: den 10 december 2015 16:02 To: OpenSSL Developer ML; OpenSSL User Support ML; OpenSSL Announce ML Subject: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 1 (alpha) === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 1 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre1.tar.gz Size: 4990889 SHA1 checksum: a058b999e17e0c40988bd7b9b280c9876f62684e SHA256 checksum: 79da49c38464a19d1b328c2f4a3661849bd2eb3d54a37fdb6a56d9b8a18e87bd The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre1.tar.gz openssl sha256 openssl-1.1.0-pre1.tar.gz Please download and check this alpha release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWaYrRAAoJENnE0m0OYESRh5gIAJ8WrkPPV8CW2xWmtyIjAxpz 7FvvpxBWHaBgJcCrvNomh2JJupXa+enWCTsskIyH0+FtS85VeOKNvQg68xbCOvLl I0dWxMNb8SCxuagvEje8xGEnf8by8pZdYaK8ERASlNoGVIgN8CwppiKnY8c1yRYn Ti0dUZLyVZvT5Qm2Q3k4pOvfS/+rvFjHiuUllFzfHlp6mdk4573w5eneoTINQvRK OC8iAnSiINQWQvuiavLVIgw7VFBD1WC2iKWuSA3+31YuM8CUpvbbnJHh2QUfGkIw oNTkflxgQJhk/txwqvCSzZsVddhvQLZtiRZYQcG4WUuskygCENeieJGPOXN6ioI= =LY4X -END PGP SIGNATURE- ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published
The building scripts are not at all updated, it's beyond repair. I'm (slowly) working on a new solution that doesn't require the separate update hell... Cheers Richard Zoltan Arpadffyskrev: (21 december 2015 20:36:13 CET) >Hi, > >I am sorry, but because of the relocation of the header files the 1.1.0 >does >not build on OpenVMS. >Please, allow some time to fix the OpenVMS build scripts. > >Thank you. >Regards, >Z > >-Original Message- >From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of >OpenSSL >Sent: den 10 december 2015 16:02 >To: OpenSSL Developer ML; OpenSSL User Support ML; OpenSSL Announce ML >Subject: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > > > OpenSSL version 1.1.0 pre release 1 (alpha) > === > > OpenSSL - The Open Source toolkit for SSL/TLS > http://www.openssl.org/ > >OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 1 has >now > been made available. For details of changes and known issues see the > release notes at: > >http://www.openssl.org/news/openssl-1.1.0-notes.html > > Note: This OpenSSL pre-release has been provided for testing ONLY. > It should NOT be used for security critical purposes. > > The alpha release is available for download via HTTP and FTP from the > following master locations (you can find the various FTP mirrors under > http://www.openssl.org/source/mirror.html): > > * http://www.openssl.org/source/ > * ftp://ftp.openssl.org/source/ > > The distribution file name is: > >o openssl-1.1.0-pre1.tar.gz > Size: 4990889 > SHA1 checksum: a058b999e17e0c40988bd7b9b280c9876f62684e > SHA256 checksum: >79da49c38464a19d1b328c2f4a3661849bd2eb3d54a37fdb6a56d9b8a18e87bd > > The checksums were calculated using the following commands: > >openssl sha1 openssl-1.1.0-pre1.tar.gz >openssl sha256 openssl-1.1.0-pre1.tar.gz > > Please download and check this alpha release as soon as possible. Bug >reports > should go to r...@openssl.org. Please check the release notes > and mailing lists to avoid duplicate reports of known issues. > > Yours, > > The OpenSSL Project Team. > >-BEGIN PGP SIGNATURE- >Version: GnuPG v1 > >iQEcBAEBAgAGBQJWaYrRAAoJENnE0m0OYESRh5gIAJ8WrkPPV8CW2xWmtyIjAxpz >7FvvpxBWHaBgJcCrvNomh2JJupXa+enWCTsskIyH0+FtS85VeOKNvQg68xbCOvLl >I0dWxMNb8SCxuagvEje8xGEnf8by8pZdYaK8ERASlNoGVIgN8CwppiKnY8c1yRYn >Ti0dUZLyVZvT5Qm2Q3k4pOvfS/+rvFjHiuUllFzfHlp6mdk4573w5eneoTINQvRK >OC8iAnSiINQWQvuiavLVIgw7VFBD1WC2iKWuSA3+31YuM8CUpvbbnJHh2QUfGkIw >oNTkflxgQJhk/txwqvCSzZsVddhvQLZtiRZYQcG4WUuskygCENeieJGPOXN6ioI= >=LY4X >-END PGP SIGNATURE- >___ >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > >___ >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I found the reason for the problem, it´s definately a program error: The reason for it is in sub-program rsa_gen.c if (BN_cmp(rsa->p, rsa->q) < 0) { printf("Doppelt!") ; tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } Here p and q should be switched if p > q. But this does not work, probably due to type-incompatible Variable "tmp". So rsa->p gets the value of rsa->q but not vice versa: root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ ...+++ e is 65537 (0x10001) p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE KEY- MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 1lSi -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ ..+++ e is 65537 (0x10001) p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs iuyMFDkp -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE KEY- MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg TT5Qxxw= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE KEY- MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY CoYAsOE= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ ..+++ e is 65537 (0x10001) p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY- MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt O4sU -END RSA PRIVATE KEY The code is still the same, even in Pre-Version 1.1.0 Regards, Felix Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT: > On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: >> That does not matter from a technical point of view. >> >> The Problem ist the same with 2048-Bit RSA. > If you're worried that p and q might be the same random number, I > think you should have other concerns. > > > Kurt > > > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: > That does not matter from a technical point of view. > > The Problem ist the same with 2048-Bit RSA. If you're worried that p and q might be the same random number, I think you should have other concerns. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?
>>> $ openssl dgst -engine pkcs11 -keyform engine -verify >> > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt >> >> The current implementation of engine_pkcs11 seems to work with private >> keys and certificates only. I've added a fix in engine_pkcs11, but it >> seems that public key types were never tested for PKCS#11 URLs. > >Yes, mea culpa. I added the basic PKCS#11 URI parsing, and failed to >test it with public keys. Could you please point me at the code that needs fixing? I’m trying to accomplish two goals: - make all (most of?) the openssl commands work with “pkcs11:…” URL; - make openssl (through engine_pkcs11) to stop prompting for the PIN to access public keys. >I still suspect we should be using p11kit and not reimplementing the >PKCS#11 URI parsing for ourselves. But really I want the whole engine >to die and PKCS#11 to be supported as a first-class citizen within >OpenSSL in crypto/p11/... In the ideal world - yes. As it is though, I think we'd better get engine_pkcs11 fixed. ;) smime.p7s Description: S/MIME cryptographic signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
On Mon, Dec 21, 2015 at 09:36:11PM +, Felix via RT wrote: > I found the reason for the problem, it´s definately a program error: Pilot error. > The reason for it is in sub-program rsa_gen.c > > if (BN_cmp(rsa->p, rsa->q) < 0) { > tmp = rsa->p; > rsa->p = rsa->q; > rsa->q = tmp; > } The code is just fine. > # ./openssl genrsa 128 > ..+++ > ...+++ > e is 65537 (0x10001) > p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273 No idea what's printing the output above, but the private key below: > -BEGIN RSA PRIVATE KEY- > MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC > CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 > 1lSi > -END RSA PRIVATE KEY- in fact has distinct p/q: $ openssl rsa -noout -text <<-EOF -BEGIN RSA PRIVATE KEY- MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 1lSi -END RSA PRIVATE KEY- EOF Private-Key: (128 bit) modulus: 00:b1:b7:f3:28:d1:ea:6a:a2:51:66:00:7e:c0:8a: 72:e7 publicExponent: 65537 (0x10001) privateExponent: 23:90:77:45:b4:f4:5f:50:34:98:e7:61:4c:d3:03: 69 prime1: 16814661991975378109 (0xe959adfe69f45cbd) prime2: 14048957841162998387 (0xc2f7ecb8d2f59273) exponent1: 2091537979440366241 (0x1d06a2b5fac802a1) exponent2: 639027470352730491 (0x8de48193c17497b) coefficient: 5085844977839658146 (0x46948d0fb6d654a2) and prime1 > prime2. This ticket should be closed. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I "pickup" rsa-p and rsa-q just one source-code-line after they were "filled" and output the variables using the BN_print_fp function. please reopen the ticket. Regards, Felix for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; printf(" p:"); BN_print_fp(stdout,rsa->p); printf(" "); if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err; if (BN_is_one(r1)) break; if (!BN_GENCB_call(cb, 2, n++)) goto err; } if (!BN_GENCB_call(cb, 3, 0)) goto err; for (;;) { /* * When generating ridiculously small keys, we can get stuck * continually regenerating the same prime values. Check for this and * bail if it happens 3 times. */ unsigned int degenerate = 0; do { if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) goto err; } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10)); if (degenerate == 10) { ok = 0; /* we set our own err */ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); goto err; } if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err; if (BN_is_one(r1)) break; if (!BN_GENCB_call(cb, 2, n++)) goto err; } if (!BN_GENCB_call(cb, 3, 1)) goto err; if (BN_cmp(rsa->p, rsa->q) < 0) { printf("Doppelt!") ; tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } printf("q:"); BN_print_fp(stdout,rsa->q); Am 21.12.2015 23:42, schrieb Richard Levitte via RT: > You're not showing us how you output rsa->p and rsa->q. It doesn't make sense > at all that you get "Doppelt!" if they were equal, so there's something wrong > with your output. Also, it's been demonstrated (see mail by Viktor on > openssl-dev) that the resulting key does have different p and q, with p > q. > > For all intents and purposes, this seems not to be a bug. Closing this ticket. > > Cheers, > Richard > > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: >> Hello, >> >> I found the reason for the problem, it´s definately a program error: >> >> The reason for it is in sub-program rsa_gen.c >> >> if (BN_cmp(rsa->p, rsa->q) < 0) { >> printf("Doppelt!") ; >> tmp = rsa->p; >> rsa->p = rsa->q; >> rsa->q = tmp; >> } >> >> Here p and q should be switched if p > q. But this does not work, >> probably due to type-incompatible Variable "tmp". >> >> So rsa->p gets the value of rsa->q but not vice versa: >> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> ..+++ >> ...+++ >> e is 65537 (0x10001) >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE >> KEY- >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 >> 1lSi >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> ...+++ >> ..+++ >> e is 65537 (0x10001) >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs >> iuyMFDkp >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> .+++ >> .+++ >> e is 65537 (0x10001) >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE >> KEY- >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg >> TT5Qxxw= >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> .+++ >> .+++ >> e is 65537 (0x10001) >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE >> KEY- >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY >> CoYAsOE= >> -END RSA PRIVATE KEY- >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >> genrsa 128 >> Generating RSA private key, 128 bit long modulus >> ...+++ >> ..+++ >> e is 65537 (0x10001) >>
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
You're not showing us how you output rsa->p and rsa->q. It doesn't make sense at all that you get "Doppelt!" if they were equal, so there's something wrong with your output. Also, it's been demonstrated (see mail by Viktor on openssl-dev) that the resulting key does have different p and q, with p > q. For all intents and purposes, this seems not to be a bug. Closing this ticket. Cheers, Richard Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: > Hello, > > I found the reason for the problem, it´s definately a program error: > > The reason for it is in sub-program rsa_gen.c > > if (BN_cmp(rsa->p, rsa->q) < 0) { > printf("Doppelt!") ; > tmp = rsa->p; > rsa->p = rsa->q; > rsa->q = tmp; > } > > Here p and q should be switched if p > q. But this does not work, > probably due to type-incompatible Variable "tmp". > > So rsa->p gets the value of rsa->q but not vice versa: > > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ..+++ > ...+++ > e is 65537 (0x10001) > p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE > KEY- > MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC > CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 > 1lSi > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ...+++ > ..+++ > e is 65537 (0x10001) > p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- > MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx > AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs > iuyMFDkp > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > .+++ > .+++ > e is 65537 (0x10001) > p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE > KEY- > MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC > CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg > TT5Qxxw= > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > .+++ > .+++ > e is 65537 (0x10001) > p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE > KEY- > MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC > CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY > CoYAsOE= > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ...+++ > ..+++ > e is 65537 (0x10001) > p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY- > MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC > CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt > O4sU > -END RSA PRIVATE KEY > > The code is still the same, even in Pre-Version 1.1.0 > > Regards, > > Felix > > > Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT: > > On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote: > >> That does not matter from a technical point of view. > >> > >> The Problem ist the same with 2048-Bit RSA. > > If you're worried that p and q might be the same random number, I > > think you should have other concerns. > > > > > > Kurt > > > > > > > -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
You're displaying pre-swap p and post-swap q. If they do get swapped, you must understand that pre-swap p and post-swap q will be the same value. If you really want to demonstrate something, please display *both* p and q before swap, and *both* p and q after swap. Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de: > Hello, > > I "pickup" rsa-p and rsa-q just one source-code-line after they were > "filled" and output the variables using the BN_print_fp function. > > please reopen the ticket. > > Regards, > > Felix > > > for (;;) { > if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) > goto err; > printf(" p:"); > BN_print_fp(stdout,rsa->p); > printf(" "); > > if (!BN_sub(r2, rsa->p, BN_value_one())) > goto err; > if (!BN_gcd(r1, r2, rsa->e, ctx)) > goto err; > if (BN_is_one(r1)) > break; > if (!BN_GENCB_call(cb, 2, n++)) > goto err; > } > if (!BN_GENCB_call(cb, 3, 0)) > goto err; > for (;;) { > /* > * When generating ridiculously small keys, we can get stuck > * continually regenerating the same prime values. Check for > this and > * bail if it happens 3 times. > */ > unsigned int degenerate = 0; > do { > if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) > goto err; > } > while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10)); > if (degenerate == 10) { > ok = 0; /* we set our own err */ > RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); > goto err; > } > if (!BN_sub(r2, rsa->q, BN_value_one())) > goto err; > if (!BN_gcd(r1, r2, rsa->e, ctx)) > goto err; > if (BN_is_one(r1)) > break; > if (!BN_GENCB_call(cb, 2, n++)) > goto err; > } > if (!BN_GENCB_call(cb, 3, 1)) > goto err; > if (BN_cmp(rsa->p, rsa->q) < 0) { > printf("Doppelt!") ; > tmp = rsa->p; > rsa->p = rsa->q; > rsa->q = tmp; > } > printf("q:"); > BN_print_fp(stdout,rsa->q); > > > > > Am 21.12.2015 23:42, schrieb Richard Levitte via RT: > > You're not showing us how you output rsa->p and rsa->q. It doesn't > > make sense > > at all that you get "Doppelt!" if they were equal, so there's > > something wrong > > with your output. Also, it's been demonstrated (see mail by Viktor on > > openssl-dev) that the resulting key does have different p and q, with > > p > q. > > > > For all intents and purposes, this seems not to be a bug. Closing > > this ticket. > > > > Cheers, > > Richard > > > > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: > >> Hello, > >> > >> I found the reason for the problem, it´s definately a program error: > >> > >> The reason for it is in sub-program rsa_gen.c > >> > >> if (BN_cmp(rsa->p, rsa->q) < 0) { > >> printf("Doppelt!") ; > >> tmp = rsa->p; > >> rsa->p = rsa->q; > >> rsa->q = tmp; > >> } > >> > >> Here p and q should be switched if p > q. But this does not work, > >> probably due to type-incompatible Variable "tmp". > >> > >> So rsa->p gets the value of rsa->q but not vice versa: > >> > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> ..+++ > >> ...+++ > >> e is 65537 (0x10001) > >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE > >> KEY- > >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC > >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 > >> 1lSi > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> ...+++ > >> ..+++ > >> e is 65537 (0x10001) > >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- > >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx > >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs > >> iuyMFDkp > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> .+++ > >> .+++ > >> e is 65537 (0x10001) > >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE > >> KEY- > >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC > >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg > >> TT5Qxxw= > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl > >> genrsa 128 > >> Generating RSA private key, 128 bit long modulus > >> .+++ > >> .+++ > >> e is 65537 (0x10001) > >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE > >> KEY- > >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC > >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY > >> CoYAsOE= > >> -END RSA PRIVATE KEY- > >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl >
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
O.K. you are right. please close the ticket... Regards, Felix Am 22.12.2015 00:09, schrieb Richard Levitte via RT: > You're displaying pre-swap p and post-swap q. If they do get swapped, you must > understand that pre-swap p and post-swap q will be the same value. > > If you really want to demonstrate something, please display *both* p and q > before swap, and *both* p and q after swap. > > Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de: >> Hello, >> >> I "pickup" rsa-p and rsa-q just one source-code-line after they were >> "filled" and output the variables using the BN_print_fp function. >> >> please reopen the ticket. >> >> Regards, >> >> Felix >> >> >> for (;;) { >> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) >> goto err; >> printf(" p:"); >> BN_print_fp(stdout,rsa->p); >> printf(" "); >> >> if (!BN_sub(r2, rsa->p, BN_value_one())) >> goto err; >> if (!BN_gcd(r1, r2, rsa->e, ctx)) >> goto err; >> if (BN_is_one(r1)) >> break; >> if (!BN_GENCB_call(cb, 2, n++)) >> goto err; >> } >> if (!BN_GENCB_call(cb, 3, 0)) >> goto err; >> for (;;) { >> /* >> * When generating ridiculously small keys, we can get stuck >> * continually regenerating the same prime values. Check for >> this and >> * bail if it happens 3 times. >> */ >> unsigned int degenerate = 0; >> do { >> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) >> goto err; >> } >> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10)); >> if (degenerate == 10) { >> ok = 0; /* we set our own err */ >> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); >> goto err; >> } >> if (!BN_sub(r2, rsa->q, BN_value_one())) >> goto err; >> if (!BN_gcd(r1, r2, rsa->e, ctx)) >> goto err; >> if (BN_is_one(r1)) >> break; >> if (!BN_GENCB_call(cb, 2, n++)) >> goto err; >> } >> if (!BN_GENCB_call(cb, 3, 1)) >> goto err; >> if (BN_cmp(rsa->p, rsa->q) < 0) { >> printf("Doppelt!") ; >> tmp = rsa->p; >> rsa->p = rsa->q; >> rsa->q = tmp; >> } >> printf("q:"); >> BN_print_fp(stdout,rsa->q); >> >> >> >> >> Am 21.12.2015 23:42, schrieb Richard Levitte via RT: >>> You're not showing us how you output rsa->p and rsa->q. It doesn't >>> make sense >>> at all that you get "Doppelt!" if they were equal, so there's >>> something wrong >>> with your output. Also, it's been demonstrated (see mail by Viktor on >>> openssl-dev) that the resulting key does have different p and q, with >>> p > q. >>> >>> For all intents and purposes, this seems not to be a bug. Closing >>> this ticket. >>> >>> Cheers, >>> Richard >>> >>> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de: Hello, I found the reason for the problem, it´s definately a program error: The reason for it is in sub-program rsa_gen.c if (BN_cmp(rsa->p, rsa->q) < 0) { printf("Doppelt!") ; tmp = rsa->p; rsa->p = rsa->q; rsa->q = tmp; } Here p and q should be switched if p > q. But this does not work, probably due to type-incompatible Variable "tmp". So rsa->p gets the value of rsa->q but not vice versa: root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ ...+++ e is 65537 (0x10001) p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE KEY- MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2 1lSi -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ ..+++ e is 65537 (0x10001) p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY- MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs iuyMFDkp -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE KEY- MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg TT5Qxxw= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE KEY-
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
As Ann points out, 128 bits is way too small, and this ticket does not justify a new release for 0.9.8 Please update 0.9.8 is end of life. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4192] [PATCH] differentiate SSL_* from from SSL_CTX_* in documentation
A couple places in the OpenSSL documentation claims that SSL_foo() takes an SSL_CTX* instead of an SSL*. i've corrected those here. --- doc/ssl/SSL_CTX_set1_verify_cert_store.pod | 8 doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod index af09f88..fbdd314 100644 --- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod +++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod @@ -17,10 +17,10 @@ verification or chain store int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); + int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *st); + int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *st); + int SSL_set0_chain_cert_store(SSL *ssl, X509_STORE *st); + int SSL_set1_chain_cert_store(SSL *ssl, X509_STORE *st); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod index 296699d..ea2ce5f 100644 --- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod @@ -13,7 +13,7 @@ SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa); long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx); - void SSL_set_tmp_rsa_callback(SSL_CTX *ctx, + void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa) long SSL_need_tmp_rsa(SSL *ssl) -- 2.6.4 ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
That does not matter from a technical point of view. The Problem ist the same with 2048-Bit RSA. It´s a general problem of the program-mechanism that could be changed very easily. Openssl 1.0.X ist still too buggy for me... BTW: The mechanisms in 1.10 ist still the same Still no duplicate-check in source-code Regards, Felix Am 21.12.2015 14:46, schrieb Rich Salz via RT: > As Ann points out, 128 bits is way too small, and this ticket does not justify > a new release for 0.9.8 > Please update 0.9.8 is end of life. > -- > Rich Salz, OpenSSL dev team; rs...@openssl.org > > ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.
Hello all, There is a minor issue with X509_STORE_CTX_init and its usage. Most of the callers of X509_STORE_CTX_init use a stack variable and pass its address as the ctx argument to this function. However, X509_STORE_CTX_init in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free on this stack variable. This in theory should be ok as the underlying free implementation should probably be a no-op as this address is from the stack. However, on systems that does strict checks on allocated memory heap this can be a problem. One potential fix could be to remove the OPENSSL_free and let the caller take responsibility for his memory. Thanks. Srinivas ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.
On Tue, Dec 22, 2015 at 04:33:45AM +, Srinivas Koripella via RT wrote: > There is a minor issue with X509_STORE_CTX_init and its usage. Most of > the callers of X509_STORE_CTX_init use a stack variable and pass its > address as the ctx argument to this function. However, X509_STORE_CTX_init > in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free > on this stack variable. This in theory should be ok as the underlying > free implementation should probably be a no-op as this address is from > the stack. Thanks for the report. The bug was introduced way back on 2001/09/01 by commit 79aa04ef27f69a1149d4d0e72d2d2953b6241ef0 and is present in OpenSSL 0.9.8 through 1.0.2. In the "master" development branch the extraneous "free" is gone, but the code is still not quite right, because the memset removed in 2001 really does belong (early) in X509_STORE_CTX_init() and should have been removed from X509_STORE_CTX_cleanup() instead, where zeroing data that is invalidated by cleanup is of course. Try the (lightly tested) patch below my signature. -- Viktor. diff --git a/apps/pkcs12.c b/apps/pkcs12.c index e41b445..cbb75b7 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -79,7 +79,8 @@ const EVP_CIPHER *enc; # define CLCERTS 0x8 # define CACERTS 0x10 -int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, @@ -594,7 +595,7 @@ int MAIN(int argc, char **argv) vret = get_cert_chain(ucert, store, ); X509_STORE_free(store); -if (!vret) { +if (vret == X509_V_OK) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num(chain2); i++) sk_X509_push(certs, sk_X509_value(chain2, i)); @@ -602,7 +603,7 @@ int MAIN(int argc, char **argv) X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { -if (vret >= 0) +if (vret != X509_V_ERR_UNSPECIFIED) BIO_printf(bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); else @@ -906,36 +907,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, /* Given a single certificate return a verified chain or NULL if error */ -/* Hope this is OK */ - -int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; -STACK_OF(X509) *chn; +STACK_OF(X509) *chn = NULL; int i = 0; -/* - * FIXME: Should really check the return status of X509_STORE_CTX_init - * for an error, but how that fits into the return value of this function - * is less obvious. - */ -X509_STORE_CTX_init(_ctx, store, cert, NULL); -if (X509_verify_cert(_ctx) <= 0) { -i = X509_STORE_CTX_get_error(_ctx); -if (i == 0) -/* - * avoid returning 0 if X509_verify_cert() did not set an - * appropriate error value in the context - */ -i = -1; -chn = NULL; -goto err; -} else +if (!X509_STORE_CTX_init(_ctx, store, cert, NULL)) { +*chain = NULL; +return X509_V_ERR_UNSPECIFIED; +} + +if (X509_verify_cert(_ctx) > 0) chn = X509_STORE_CTX_get1_chain(_ctx); - err: +else if ((i = X509_STORE_CTX_get_error(_ctx)) == 0) +i = X509_V_ERR_UNSPECIFIED; + X509_STORE_CTX_cleanup(_ctx); *chain = chn; - return i; } diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index da89911..29aa5a4 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -255,7 +255,8 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, /* chain is an out argument. */ *chain = NULL; -X509_STORE_CTX_init(_ctx, store, signer, untrusted); +if (!X509_STORE_CTX_init(_ctx, store, signer, untrusted)) +return 0; X509_STORE_CTX_set_purpose(_ctx, X509_PURPOSE_TIMESTAMP_SIGN); i = X509_verify_cert(_ctx); if (i <= 0) { diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ab94948..f44a4a0 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2283,9 +2283,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->current_reasons = 0; ctx->tree = NULL; ctx->parent = NULL; +/* Zero ex_data to make sure we're cleanup-safe */ +memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Hello, I found out, that in openssl 0.9.8 a check is missing for duplicate primes of p and q, see below. This is relevant when generating RSA-Keys: root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ .+++ e is 65537 (0x10001) p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -BEGIN RSA PRIVATE KEY- MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/ Pr0Uvg== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ .+++ e is 65537 (0x10001) p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -BEGIN RSA PRIVATE KEY- MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu HHeujcFd/Q== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus .+++ ...+++ e is 65537 (0x10001) p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -BEGIN RSA PRIVATE KEY- MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj yqUIUes= -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ..+++ .+++ e is 65537 (0x10001) p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -BEGIN RSA PRIVATE KEY- MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW mLQFBXBWbw== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 128 Generating RSA private key, 128 bit long modulus ...+++ .+++ e is 65537 (0x10001) p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -BEGIN RSA PRIVATE KEY- MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz yUnU6g== -END RSA PRIVATE KEY- root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# As, in my environment, p qnd q are identical in about 50% of the cases, this is in my opinion a big security hole, because p and q can be determined from N by calculating the square-root of N. I will try to test this with a newer release of openssl as well. Thank you. Regards, Felix ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.
On Tue, Dec 22, 2015 at 06:53:54AM +, Viktor Dukhovni wrote: > On Tue, Dec 22, 2015 at 04:33:45AM +, Srinivas Koripella via RT wrote: > > > There is a minor issue with X509_STORE_CTX_init and its usage. Most of > > the callers of X509_STORE_CTX_init use a stack variable and pass its > > address as the ctx argument to this function. However, X509_STORE_CTX_init > > in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free > > on this stack variable. This in theory should be ok as the underlying > > free implementation should probably be a no-op as this address is from > > the stack. > > Thanks for the report. The bug was introduced way back on 2001/09/01 > by commit 79aa04ef27f69a1149d4d0e72d2d2953b6241ef0 and is present > in OpenSSL 0.9.8 through 1.0.2. > > In the "master" development branch the extraneous "free" is gone, > but the code is still not quite right, because the memset removed > in 2001 really does belong (early) in X509_STORE_CTX_init() and > should have been removed from X509_STORE_CTX_cleanup() instead, > where zeroing data that is invalidated by cleanup is of course. > > Try the (lightly tested) patch below my signature. Note, that patch was for 1.0.2e. No idea how cleanly it applies to other releases. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4194] engine command regression in 1.1
Hello, OpenSSL engine command allows user to specify cryptographic module name at any position. For instance README.ENGINE recommend following: openssl engine dynamic \ -pre SO_PATH:/lib/libfoo.so \ The master branch (future 1.1) requires engine names to be specified after all options. This is regression introduced by new common " option-parsing". Also new summary lack information for engine name as command line argument. Regards, Roumen Petrov ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] about "Rename some BUF_xxx to OPENSSL_xxx"
Hello, After modification OPENSSL_strlcpy is declared twice. Regards, Roumen >From 5f5b81e162eae025dcc40a7074a973621c7dac33 Mon Sep 17 00:00:00 2001 From: Roumen PetrovDate: Mon, 21 Dec 2015 18:45:06 +0200 Subject: [PATCH 02/15] redundant redeclaration of 'OPENSSL_strlcpy' --- include/openssl/crypto.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 8247f68..81e944d 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -332,7 +332,6 @@ int CRYPTO_is_mem_check_on(void); # define OPENSSL_free(addr) CRYPTO_free(addr) size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz); -size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz); size_t OPENSSL_strlcat(char *dst, const char *src, size_t siz); size_t OPENSSL_strnlen(const char *str, size_t maxlen); -- 1.8.4 ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3810] [PATCH] Improved P256 ECC performance by means of a dedicated function for modular inversion modulo the P256 group order
Hi, > This patch is a contribution to OpenSSL. > > It concerns the P256 ECC implementation. > > The patch improves upon our previous submission, by providing a dedicated > function to perform modular inversion modulo the P256 group order. > > Results: > The performance improvements, for single threaded applications, compared to > the current (development) version of OpenSSL are as follows. > > (measured by "openssl speed" utility) > > > On Architecture Codename Haswell: > ECDSA sign: 1.28X > ECDSA verify: 1.10X > > On Architecture Broadwell: > ECDSA sign: 1.42X > ECDSA verify: 1.18X > > We license the whole submission under BSD license. > > Developers and authors: > *** > Shay Gueron (1, 2), and Vlad Krasnov (3) > (1) University of Haifa, Israel > (2) Intel Corporation, Israel Development Center, Haifa, Israel > (3) CloudFlare, Inc. > *** Attached is version refactored for updated layout. It's few percent faster than original (for several small reasons, e.g. avoiding excessive %rip-relative addressing because it doesn't fuse, optimizing back-to-back value passing through registers in squaring) and probably more readable (for example squaring uses $acc6 and $acc7). Then I've got nervous around possibility of unaccounted carry and rearranged reduction step in manner that precludes it. To be more specific here is fragment of original reduction step: mov 8*1+.Lord(%rip), $t4 mul $t0 add $t1, $acc1 adc \$0, $t3 add $t4, $acc1 mov $t0, $t1 adc $t3, $acc2 adc \$0, $t1 sub $t0, $acc2 sbb \$0, $t1 Concern was that if $t0 happens to be all-ones, then you risk unaccounted carry in last adc above. Well, upon closer look concern appears to be false, but as it's a bit counter-intuitive alternative is provided anyway. diff --git a/crypto/ec/asm/ecp_nistz256-x86_64.pl b/crypto/ec/asm/ecp_nistz256-x86_64.pl index c2621c2..39e60da 100755 --- a/crypto/ec/asm/ecp_nistz256-x86_64.pl +++ b/crypto/ec/asm/ecp_nistz256-x86_64.pl @@ -2,7 +2,13 @@ ## ## -# Copyright 2014 Intel Corporation # +# Copyright (c) 2014,2015 Intel Corporation # +# Copyright (c) 2015 CloudFlare, Inc.# +# All rights reserved. # +## +# This software is dual licensed under the Apache V.2.0 and BSD licenses # +## +## ## # Licensed under the Apache License, Version 2.0 (the "License");# # you may not use this file except in compliance with the License. # @@ -18,10 +24,41 @@ ## ## ## +# Redistribution and use in source and binary forms, with or without# +# modification, are permitted provided that the following conditions are# +# met: # +## +# # Redistributions of source code must retain the above copyright # +# notice, this list of conditions and the following disclaimer. # +## +# # Redistributions in binary form must reproduce the above copyright # +# notice, this list of conditions and the following disclaimer in the# +# documentation and/or other materials provided with the # +# distribution. # +## +# # Neither the name of the copyright holders nor the names of its # +# contributors may be used to endorse or promote products derived from # +# this software without specific prior written permission. # +## +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS # +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED # +# TO, THE
[openssl-dev] [openssl.org #4191] Re: Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
P.S. Problem still exists in Version 0.9.8zh. Regards, Felix Am 21.12.2015 12:00, schrieb Felix: > Hello, > > I found out, that in openssl 0.9.8 a check is missing for duplicate > primes of p and q, see below. This is relevant when generating RSA-Keys: > > > root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ...+++ > .+++ > e is 65537 (0x10001) > p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -BEGIN RSA PRIVATE > KEY- > MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC > CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/ > Pr0Uvg== > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > .+++ > .+++ > e is 65537 (0x10001) > p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -BEGIN RSA PRIVATE > KEY- > MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB > AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu > HHeujcFd/Q== > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > .+++ > ...+++ > e is 65537 (0x10001) > p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -BEGIN RSA PRIVATE > KEY- > MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR > AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj > yqUIUes= > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ..+++ > .+++ > e is 65537 (0x10001) > p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -BEGIN RSA PRIVATE > KEY- > MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V > AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW > mLQFBXBWbw== > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl > genrsa 128 > Generating RSA private key, 128 bit long modulus > ...+++ > .+++ > e is 65537 (0x10001) > p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -BEGIN RSA PRIVATE > KEY- > MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC > CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz > yUnU6g== > -END RSA PRIVATE KEY- > root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# > > > As, in my environment, p qnd q are identical in about 50% of the > cases, this is in my opinion a big security hole, because p and q can > be determined from N by calculating the square-root of N. > > I will try to test this with a newer release of openssl as well. > > Thank you. > > Regards, > > Felix ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o
Felix, the real security hole is your key length. For a key length greater 1024 p and q should never be identical. The chance of p being not a prime is probably greater. In case p=q the Euler function will be p(p-1), whereas OpenSSL uses (p-1)(q-1) , i.e. (p-1)^2. In this case RSA, i.e. c:=m^e, m:=c^d, will not work. /Ann. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev