Re: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published

[Zoltan Arpadffy]

Hi,

I am sorry, but because of the relocation of the header files the 1.1.0 does
not build on OpenVMS.
Please, allow some time to fix the OpenVMS build scripts.

Thank you.
Regards,
Z 

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of
OpenSSL
Sent: den 10 december 2015 16:02
To: OpenSSL Developer ML; OpenSSL User Support ML; OpenSSL Announce ML
Subject: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


   OpenSSL version 1.1.0 pre release 1 (alpha)
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 1 has now
   been made available. For details of changes and known issues see the
   release notes at:

http://www.openssl.org/news/openssl-1.1.0-notes.html

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   The alpha release is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

 * http://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0-pre1.tar.gz
  Size: 4990889
  SHA1 checksum: a058b999e17e0c40988bd7b9b280c9876f62684e
  SHA256 checksum:
79da49c38464a19d1b328c2f4a3661849bd2eb3d54a37fdb6a56d9b8a18e87bd

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0-pre1.tar.gz
openssl sha256 openssl-1.1.0-pre1.tar.gz

   Please download and check this alpha release as soon as possible. Bug
reports
   should go to r...@openssl.org. Please check the release notes
   and mailing lists to avoid duplicate reports of known issues.

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWaYrRAAoJENnE0m0OYESRh5gIAJ8WrkPPV8CW2xWmtyIjAxpz
7FvvpxBWHaBgJcCrvNomh2JJupXa+enWCTsskIyH0+FtS85VeOKNvQg68xbCOvLl
I0dWxMNb8SCxuagvEje8xGEnf8by8pZdYaK8ERASlNoGVIgN8CwppiKnY8c1yRYn
Ti0dUZLyVZvT5Qm2Q3k4pOvfS/+rvFjHiuUllFzfHlp6mdk4573w5eneoTINQvRK
OC8iAnSiINQWQvuiavLVIgw7VFBD1WC2iKWuSA3+31YuM8CUpvbbnJHh2QUfGkIw
oNTkflxgQJhk/txwqvCSzZsVddhvQLZtiRZYQcG4WUuskygCENeieJGPOXN6ioI=
=LY4X
-END PGP SIGNATURE-
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published

[Richard Levitte]

The building scripts are not at all updated, it's beyond repair. I'm (slowly) 
working on a new solution that doesn't require the separate update hell... 

Cheers 
Richard 

Zoltan Arpadffy  skrev: (21 december 2015 20:36:13 CET)
>Hi,
>
>I am sorry, but because of the relocation of the header files the 1.1.0
>does
>not build on OpenVMS.
>Please, allow some time to fix the OpenVMS build scripts.
>
>Thank you.
>Regards,
>Z 
>
>-Original Message-
>From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of
>OpenSSL
>Sent: den 10 december 2015 16:02
>To: OpenSSL Developer ML; OpenSSL User Support ML; OpenSSL Announce ML
>Subject: [openssl-dev] OpenSSL version 1.1.0 pre release 1 published
>
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA1
>
>
>   OpenSSL version 1.1.0 pre release 1 (alpha)
>   ===
>
>   OpenSSL - The Open Source toolkit for SSL/TLS
>   http://www.openssl.org/
>
>OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 1 has
>now
>   been made available. For details of changes and known issues see the
>   release notes at:
>
>http://www.openssl.org/news/openssl-1.1.0-notes.html
>
>   Note: This OpenSSL pre-release has been provided for testing ONLY.
>   It should NOT be used for security critical purposes.
>
>  The alpha release is available for download via HTTP and FTP from the
> following master locations (you can find the various FTP mirrors under
>   http://www.openssl.org/source/mirror.html):
>
> * http://www.openssl.org/source/
> * ftp://ftp.openssl.org/source/
>
>   The distribution file name is:
>
>o openssl-1.1.0-pre1.tar.gz
>  Size: 4990889
>  SHA1 checksum: a058b999e17e0c40988bd7b9b280c9876f62684e
>  SHA256 checksum:
>79da49c38464a19d1b328c2f4a3661849bd2eb3d54a37fdb6a56d9b8a18e87bd
>
>   The checksums were calculated using the following commands:
>
>openssl sha1 openssl-1.1.0-pre1.tar.gz
>openssl sha256 openssl-1.1.0-pre1.tar.gz
>
>  Please download and check this alpha release as soon as possible. Bug
>reports
>   should go to r...@openssl.org. Please check the release notes
>   and mailing lists to avoid duplicate reports of known issues.
>
>   Yours,
>
>   The OpenSSL Project Team.
>
>-BEGIN PGP SIGNATURE-
>Version: GnuPG v1
>
>iQEcBAEBAgAGBQJWaYrRAAoJENnE0m0OYESRh5gIAJ8WrkPPV8CW2xWmtyIjAxpz
>7FvvpxBWHaBgJcCrvNomh2JJupXa+enWCTsskIyH0+FtS85VeOKNvQg68xbCOvLl
>I0dWxMNb8SCxuagvEje8xGEnf8by8pZdYaK8ERASlNoGVIgN8CwppiKnY8c1yRYn
>Ti0dUZLyVZvT5Qm2Q3k4pOvfS/+rvFjHiuUllFzfHlp6mdk4573w5eneoTINQvRK
>OC8iAnSiINQWQvuiavLVIgw7VFBD1WC2iKWuSA3+31YuM8CUpvbbnJHh2QUfGkIw
>oNTkflxgQJhk/txwqvCSzZsVddhvQLZtiRZYQcG4WUuskygCENeieJGPOXN6ioI=
>=LY4X
>-END PGP SIGNATURE-
>___
>openssl-dev mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>___
>openssl-dev mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Felix via RT]

Hello,

I found the reason for the problem, it´s definately a program error:

The reason for it is in sub-program rsa_gen.c

if (BN_cmp(rsa->p, rsa->q) < 0)  {
 printf("Doppelt!") ;
 tmp = rsa->p;
 rsa->p = rsa->q;
 rsa->q = tmp;
 }

Here p and q should be switched if p > q. But this does not work, 
probably due to type-incompatible Variable "tmp".

So rsa->p gets the value of rsa->q but not vice versa:

root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl 
genrsa 128
Generating RSA private key, 128 bit long modulus
..+++
...+++
e is 65537 (0x10001)
  p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE 
KEY-
MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
1lSi
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl 
genrsa 128
Generating RSA private key, 128 bit long modulus
...+++
..+++
e is 65537 (0x10001)
  p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
iuyMFDkp
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl 
genrsa 128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
  p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE 
KEY-
MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
TT5Qxxw=
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl 
genrsa 128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
  p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE 
KEY-
MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
CoYAsOE=
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl 
genrsa 128
Generating RSA private key, 128 bit long modulus
...+++
..+++
e is 65537 (0x10001)
  p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY-
MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
O4sU
-END RSA PRIVATE KEY

The code is still the same, even in Pre-Version 1.1.0

Regards,

Felix


Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
> On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote:
>> That does not matter from a technical point of view.
>>
>> The Problem ist the same with 2048-Bit RSA.
> If you're worried that p and q might be the same random number, I
> think you should have other concerns.
>
>
> Kurt
>
>
>


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Kurt Roeckx via RT]

On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote:
> That does not matter from a technical point of view.
> 
> The Problem ist the same with 2048-Bit RSA.

If you're worried that p and q might be the same random number, I
think you should have other concerns.


Kurt


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] openssl pkeyutl unable to use keys on a PKCS11 token?

[Blumenthal, Uri - 0553 - MITLL]

>>> $ openssl dgst -engine pkcs11 -keyform engine -verify
>> > "pkcs11:object=SIGN%20pubkey;object-type=public" -sha256 -sigopt
>> 
>> The current implementation of engine_pkcs11 seems to work with private
>> keys and certificates only. I've added a fix in engine_pkcs11, but it
>> seems that public key types were never tested for PKCS#11 URLs.
>
>Yes, mea culpa. I added the basic PKCS#11 URI parsing, and failed to
>test it with public keys.

Could you please point me at the code that needs fixing?

I’m trying to accomplish two goals:
 - make all (most of?) the openssl commands work with “pkcs11:…” URL;
 - make openssl (through engine_pkcs11) to stop prompting for the PIN to
access public keys.

>I still suspect we should be using p11kit and not reimplementing the
>PKCS#11 URI parsing for ourselves. But really I want the whole engine
>to die and PKCS#11 to be supported as a first-class citizen within
>OpenSSL in crypto/p11/...

In the ideal world - yes. As it is though, I think we'd better get
engine_pkcs11 fixed. ;)


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Viktor Dukhovni]

On Mon, Dec 21, 2015 at 09:36:11PM +, Felix via RT wrote:

> I found the reason for the problem, it´s definately a program error:

Pilot error.

> The reason for it is in sub-program rsa_gen.c
> 
> if (BN_cmp(rsa->p, rsa->q) < 0)  {
>  tmp = rsa->p;
>  rsa->p = rsa->q;
>  rsa->q = tmp;
>  }

The code is just fine.

> # ./openssl genrsa 128
> ..+++
> ...+++
> e is 65537 (0x10001)
>   p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273

No idea what's printing the output above, but the private key below:

> -BEGIN RSA PRIVATE KEY-
> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> 1lSi
> -END RSA PRIVATE KEY-

in fact has distinct p/q:

$ openssl rsa -noout -text <<-EOF
-BEGIN RSA PRIVATE KEY-
MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
1lSi
-END RSA PRIVATE KEY-
EOF
Private-Key: (128 bit)
modulus:
00:b1:b7:f3:28:d1:ea:6a:a2:51:66:00:7e:c0:8a:
72:e7
publicExponent: 65537 (0x10001)
privateExponent:
23:90:77:45:b4:f4:5f:50:34:98:e7:61:4c:d3:03:
69
prime1: 16814661991975378109 (0xe959adfe69f45cbd)
prime2: 14048957841162998387 (0xc2f7ecb8d2f59273)
exponent1: 2091537979440366241 (0x1d06a2b5fac802a1)
exponent2: 639027470352730491 (0x8de48193c17497b)
coefficient: 5085844977839658146 (0x46948d0fb6d654a2)

and prime1 > prime2.  This ticket should be closed.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Felix via RT]

Hello,

I "pickup" rsa-p and rsa-q just one source-code-line after they were 
"filled" and output the variables using the BN_print_fp function.

please reopen the ticket.

Regards,

Felix


for (;;) {
 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
 goto err;
printf(" p:");
BN_print_fp(stdout,rsa->p);
printf(" ");

 if (!BN_sub(r2, rsa->p, BN_value_one()))
 goto err;
 if (!BN_gcd(r1, r2, rsa->e, ctx))
 goto err;
 if (BN_is_one(r1))
 break;
 if (!BN_GENCB_call(cb, 2, n++))
 goto err;
 }
 if (!BN_GENCB_call(cb, 3, 0))
 goto err;
 for (;;) {
 /*
  * When generating ridiculously small keys, we can get stuck
  * continually regenerating the same prime values. Check for 
this and
  * bail if it happens 3 times.
  */
 unsigned int degenerate = 0;
 do {
 if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
 goto err;
}
  while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
if (degenerate == 10) {
 ok = 0; /* we set our own err */
 RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
 goto err;
}
 if (!BN_sub(r2, rsa->q, BN_value_one()))
 goto err;
 if (!BN_gcd(r1, r2, rsa->e, ctx))
 goto err;
 if (BN_is_one(r1))
 break;
 if (!BN_GENCB_call(cb, 2, n++))
 goto err;
 }
 if (!BN_GENCB_call(cb, 3, 1))
 goto err;
 if (BN_cmp(rsa->p, rsa->q) < 0)  {
 printf("Doppelt!") ;
 tmp = rsa->p;
 rsa->p = rsa->q;
 rsa->q = tmp;
 }
printf("q:");
BN_print_fp(stdout,rsa->q);




Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
> You're not showing us how you output rsa->p and rsa->q. It doesn't make sense
> at all that you get "Doppelt!" if they were equal, so there's something wrong
> with your output. Also, it's been demonstrated (see mail by Viktor on
> openssl-dev) that the resulting key does have different p and q, with p > q.
>
> For all intents and purposes, this seems not to be a bug. Closing this ticket.
>
> Cheers,
> Richard
>
> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
>> Hello,
>>
>> I found the reason for the problem, it´s definately a program error:
>>
>> The reason for it is in sub-program rsa_gen.c
>>
>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>> printf("Doppelt!") ;
>> tmp = rsa->p;
>> rsa->p = rsa->q;
>> rsa->q = tmp;
>> }
>>
>> Here p and q should be switched if p > q. But this does not work,
>> probably due to type-incompatible Variable "tmp".
>>
>> So rsa->p gets the value of rsa->q but not vice versa:
>>
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ..+++
>> ...+++
>> e is 65537 (0x10001)
>> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
>> KEY-
>> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
>> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
>> 1lSi
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ...+++
>> ..+++
>> e is 65537 (0x10001)
>> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
>> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
>> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
>> iuyMFDkp
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> .+++
>> .+++
>> e is 65537 (0x10001)
>> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
>> KEY-
>> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
>> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
>> TT5Qxxw=
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> .+++
>> .+++
>> e is 65537 (0x10001)
>> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
>> KEY-
>> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
>> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
>> CoYAsOE=
>> -END RSA PRIVATE KEY-
>> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
>> genrsa 128
>> Generating RSA private key, 128 bit long modulus
>> ...+++
>> ..+++
>> e is 65537 (0x10001)
>> 

[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Richard Levitte via RT]

You're not showing us how you output rsa->p and rsa->q. It doesn't make sense
at all that you get "Doppelt!" if they were equal, so there's something wrong
with your output. Also, it's been demonstrated (see mail by Viktor on
openssl-dev) that the resulting key does have different p and q, with p > q.

For all intents and purposes, this seems not to be a bug. Closing this ticket.

Cheers,
Richard

Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
> Hello,
>
> I found the reason for the problem, it´s definately a program error:
>
> The reason for it is in sub-program rsa_gen.c
>
> if (BN_cmp(rsa->p, rsa->q) < 0) {
> printf("Doppelt!") ;
> tmp = rsa->p;
> rsa->p = rsa->q;
> rsa->q = tmp;
> }
>
> Here p and q should be switched if p > q. But this does not work,
> probably due to type-incompatible Variable "tmp".
>
> So rsa->p gets the value of rsa->q but not vice versa:
>
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ..+++
> ...+++
> e is 65537 (0x10001)
> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
> KEY-
> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> 1lSi
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++
> ..+++
> e is 65537 (0x10001)
> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
> iuyMFDkp
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++
> .+++
> e is 65537 (0x10001)
> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
> KEY-
> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
> TT5Qxxw=
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++
> .+++
> e is 65537 (0x10001)
> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
> KEY-
> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
> CoYAsOE=
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++
> ..+++
> e is 65537 (0x10001)
> p:DFE0EAAEF64A9ED3 q:DA49968E614FC9E9-BEGIN RSA PRIVATE KEY-
> MGECAQACEQC+5eKmNv53y2Hn+t22uzkLAgMBAAECEHmAtlbW7/ZsapBlxpZlu1EC
> CQDf4Oqu9kqe0wIJANpJlo5hT8npAggWUvAz6B1CvwIIYCU9fST7gdECCGudR6xt
> O4sU
> -END RSA PRIVATE KEY
>
> The code is still the same, even in Pre-Version 1.1.0
>
> Regards,
>
> Felix
>
>
> Am 21.12.2015 21:38, schrieb Kurt Roeckx via RT:
> > On Mon, Dec 21, 2015 at 01:51:45PM +, Felix via RT wrote:
> >> That does not matter from a technical point of view.
> >>
> >> The Problem ist the same with 2048-Bit RSA.
> > If you're worried that p and q might be the same random number, I
> > think you should have other concerns.
> >
> >
> > Kurt
> >
> >
> >
>


--
Richard Levitte
levi...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Richard Levitte via RT]

You're displaying pre-swap p and post-swap q. If they do get swapped, you must
understand that pre-swap p and post-swap q will be the same value.

If you really want to demonstrate something, please display *both* p and q
before swap, and *both* p and q after swap.

Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de:
> Hello,
>
> I "pickup" rsa-p and rsa-q just one source-code-line after they were
> "filled" and output the variables using the BN_print_fp function.
>
> please reopen the ticket.
>
> Regards,
>
> Felix
>
>
> for (;;) {
> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
> goto err;
> printf(" p:");
> BN_print_fp(stdout,rsa->p);
> printf(" ");
>
> if (!BN_sub(r2, rsa->p, BN_value_one()))
> goto err;
> if (!BN_gcd(r1, r2, rsa->e, ctx))
> goto err;
> if (BN_is_one(r1))
> break;
> if (!BN_GENCB_call(cb, 2, n++))
> goto err;
> }
> if (!BN_GENCB_call(cb, 3, 0))
> goto err;
> for (;;) {
> /*
> * When generating ridiculously small keys, we can get stuck
> * continually regenerating the same prime values. Check for
> this and
> * bail if it happens 3 times.
> */
> unsigned int degenerate = 0;
> do {
> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
> goto err;
> }
> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
> if (degenerate == 10) {
> ok = 0; /* we set our own err */
> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
> goto err;
> }
> if (!BN_sub(r2, rsa->q, BN_value_one()))
> goto err;
> if (!BN_gcd(r1, r2, rsa->e, ctx))
> goto err;
> if (BN_is_one(r1))
> break;
> if (!BN_GENCB_call(cb, 2, n++))
> goto err;
> }
> if (!BN_GENCB_call(cb, 3, 1))
> goto err;
> if (BN_cmp(rsa->p, rsa->q) < 0) {
> printf("Doppelt!") ;
> tmp = rsa->p;
> rsa->p = rsa->q;
> rsa->q = tmp;
> }
> printf("q:");
> BN_print_fp(stdout,rsa->q);
>
>
>
>
> Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
> > You're not showing us how you output rsa->p and rsa->q. It doesn't
> > make sense
> > at all that you get "Doppelt!" if they were equal, so there's
> > something wrong
> > with your output. Also, it's been demonstrated (see mail by Viktor on
> > openssl-dev) that the resulting key does have different p and q, with
> > p > q.
> >
> > For all intents and purposes, this seems not to be a bug. Closing
> > this ticket.
> >
> > Cheers,
> > Richard
> >
> > Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
> >> Hello,
> >>
> >> I found the reason for the problem, it´s definately a program error:
> >>
> >> The reason for it is in sub-program rsa_gen.c
> >>
> >> if (BN_cmp(rsa->p, rsa->q) < 0) {
> >> printf("Doppelt!") ;
> >> tmp = rsa->p;
> >> rsa->p = rsa->q;
> >> rsa->q = tmp;
> >> }
> >>
> >> Here p and q should be switched if p > q. But this does not work,
> >> probably due to type-incompatible Variable "tmp".
> >>
> >> So rsa->p gets the value of rsa->q but not vice versa:
> >>
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ..+++
> >> ...+++
> >> e is 65537 (0x10001)
> >> p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
> >> KEY-
> >> MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
> >> CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
> >> 1lSi
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> ...+++
> >> ..+++
> >> e is 65537 (0x10001)
> >> p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
> >> MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
> >> AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
> >> iuyMFDkp
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> .+++
> >> .+++
> >> e is 65537 (0x10001)
> >> p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
> >> KEY-
> >> MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
> >> CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
> >> TT5Qxxw=
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> >> genrsa 128
> >> Generating RSA private key, 128 bit long modulus
> >> .+++
> >> .+++
> >> e is 65537 (0x10001)
> >> p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
> >> KEY-
> >> MGMCAQACEQC5Blnuh/rwj672TEtpnqBbAgMBAAECEHWgVAwQ5reHi1vT7Mv8AgEC
> >> CQDrlal9i7dV1QIJAMkPCvXIBkVvAgkAlW1jiUdyrVUCCF/WSswjP1IDAgkA6DRY
> >> CoYAsOE=
> >> -END RSA PRIVATE KEY-
> >> root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
> 

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Felix via RT]

O.K. you are right. please close the ticket...

Regards,

Felix


Am 22.12.2015 00:09, schrieb Richard Levitte via RT:
> You're displaying pre-swap p and post-swap q. If they do get swapped, you must
> understand that pre-swap p and post-swap q will be the same value.
>
> If you really want to demonstrate something, please display *both* p and q
> before swap, and *both* p and q after swap.
>
> Vid Mon, 21 Dec 2015 kl. 23.00.38, skrev felix.wiedenr...@gmx.de:
>> Hello,
>>
>> I "pickup" rsa-p and rsa-q just one source-code-line after they were
>> "filled" and output the variables using the BN_print_fp function.
>>
>> please reopen the ticket.
>>
>> Regards,
>>
>> Felix
>>
>>
>> for (;;) {
>> if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
>> goto err;
>> printf(" p:");
>> BN_print_fp(stdout,rsa->p);
>> printf(" ");
>>
>> if (!BN_sub(r2, rsa->p, BN_value_one()))
>> goto err;
>> if (!BN_gcd(r1, r2, rsa->e, ctx))
>> goto err;
>> if (BN_is_one(r1))
>> break;
>> if (!BN_GENCB_call(cb, 2, n++))
>> goto err;
>> }
>> if (!BN_GENCB_call(cb, 3, 0))
>> goto err;
>> for (;;) {
>> /*
>> * When generating ridiculously small keys, we can get stuck
>> * continually regenerating the same prime values. Check for
>> this and
>> * bail if it happens 3 times.
>> */
>> unsigned int degenerate = 0;
>> do {
>> if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
>> goto err;
>> }
>> while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 10));
>> if (degenerate == 10) {
>> ok = 0; /* we set our own err */
>> RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
>> goto err;
>> }
>> if (!BN_sub(r2, rsa->q, BN_value_one()))
>> goto err;
>> if (!BN_gcd(r1, r2, rsa->e, ctx))
>> goto err;
>> if (BN_is_one(r1))
>> break;
>> if (!BN_GENCB_call(cb, 2, n++))
>> goto err;
>> }
>> if (!BN_GENCB_call(cb, 3, 1))
>> goto err;
>> if (BN_cmp(rsa->p, rsa->q) < 0) {
>> printf("Doppelt!") ;
>> tmp = rsa->p;
>> rsa->p = rsa->q;
>> rsa->q = tmp;
>> }
>> printf("q:");
>> BN_print_fp(stdout,rsa->q);
>>
>>
>>
>>
>> Am 21.12.2015 23:42, schrieb Richard Levitte via RT:
>>> You're not showing us how you output rsa->p and rsa->q. It doesn't
>>> make sense
>>> at all that you get "Doppelt!" if they were equal, so there's
>>> something wrong
>>> with your output. Also, it's been demonstrated (see mail by Viktor on
>>> openssl-dev) that the resulting key does have different p and q, with
>>> p > q.
>>>
>>> For all intents and purposes, this seems not to be a bug. Closing
>>> this ticket.
>>>
>>> Cheers,
>>> Richard
>>>
>>> Vid Mon, 21 Dec 2015 kl. 21.36.10, skrev felix.wiedenr...@gmx.de:
 Hello,

 I found the reason for the problem, it´s definately a program error:

 The reason for it is in sub-program rsa_gen.c

 if (BN_cmp(rsa->p, rsa->q) < 0) {
 printf("Doppelt!") ;
 tmp = rsa->p;
 rsa->p = rsa->q;
 rsa->q = tmp;
 }

 Here p and q should be switched if p > q. But this does not work,
 probably due to type-incompatible Variable "tmp".

 So rsa->p gets the value of rsa->q but not vice versa:

 root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
 genrsa 128
 Generating RSA private key, 128 bit long modulus
 ..+++
 ...+++
 e is 65537 (0x10001)
 p:C2F7ECB8D2F59273 Doppelt!q:C2F7ECB8D2F59273-BEGIN RSA PRIVATE
 KEY-
 MGECAQACEQCxt/Mo0epqolFmAH7AinLnAgMBAAECECOQd0W09F9QNJjnYUzTA2kC
 CQDpWa3+afRcvQIJAML37LjS9ZJzAggdBqK1+sgCoQIICN5IGTwXSXsCCEaUjQ+2
 1lSi
 -END RSA PRIVATE KEY-
 root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
 genrsa 128
 Generating RSA private key, 128 bit long modulus
 ...+++
 ..+++
 e is 65537 (0x10001)
 p:EA361C8BFA9BA779 q:D5E2C6BB9B8BA893-BEGIN RSA PRIVATE KEY-
 MGQCAQACEQDDrn9XKQBmujmYfSQ++5J7AgMBAAECEQCKoOvL9ts26ogA0yMVZFKx
 AgkA6jYci/qbp3kCCQDV4sa7m4uokwIJAI6c+HD73n/xAggx7tN+kP21yQIJANCs
 iuyMFDkp
 -END RSA PRIVATE KEY-
 root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
 genrsa 128
 Generating RSA private key, 128 bit long modulus
 .+++
 .+++
 e is 65537 (0x10001)
 p:C3412FF6A7505B29 Doppelt!q:C3412FF6A7505B29-BEGIN RSA PRIVATE
 KEY-
 MGMCAQACEQCyfg3MCsahBogjE8RM+6yPAgMBAAECEEO3HMbfA7IMpHc7MT6WJZEC
 CQDqBdvZfYT49wIJAMNBL/anUFspAgkAo33OVsZLFIcCCHPy1A6/EOLxAgkAj5Jg
 TT5Qxxw=
 -END RSA PRIVATE KEY-
 root@debian6:/home/felix/Downloads/openssl-0.9.8zh/apps# ./openssl
 genrsa 128
 Generating RSA private key, 128 bit long modulus
 .+++
 .+++
 e is 65537 (0x10001)
 p:C90F0AF5C806456F Doppelt!q:C90F0AF5C806456F-BEGIN RSA PRIVATE
 KEY-
 

[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Rich Salz via RT]

As Ann points out, 128 bits is way too small, and this ticket does not justify
a new release for 0.9.8
Please update 0.9.8 is end of life.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4192] [PATCH] differentiate SSL_* from from SSL_CTX_* in documentation

[Daniel Kahn Gillmor via RT]

A couple places in the OpenSSL documentation claims that SSL_foo()
takes an SSL_CTX* instead of an SSL*.  i've corrected those here.
---
 doc/ssl/SSL_CTX_set1_verify_cert_store.pod | 8 
 doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod 
b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
index af09f88..fbdd314 100644
--- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
+++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
@@ -17,10 +17,10 @@ verification or chain store
  int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
  int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
 
- int SSL_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st);
- int SSL_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st);
- int SSL_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
- int SSL_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
+ int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *st);
+ int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *st);
+ int SSL_set0_chain_cert_store(SSL *ssl, X509_STORE *st);
+ int SSL_set1_chain_cert_store(SSL *ssl, X509_STORE *st);
 
 =head1 DESCRIPTION
 
diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 
b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
index 296699d..ea2ce5f 100644
--- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
@@ -13,7 +13,7 @@ SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, 
SSL_CTX_need_tmp_rsa, SSL_set
  long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa);
  long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx);
 
- void SSL_set_tmp_rsa_callback(SSL_CTX *ctx,
+ void SSL_set_tmp_rsa_callback(SSL *ssl,
 RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
  long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa)
  long SSL_need_tmp_rsa(SSL *ssl)
-- 
2.6.4

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Felix via RT]

That does not matter from a technical point of view.

The Problem ist the same with 2048-Bit RSA.

It´s a general problem of the program-mechanism that could be changed 
very easily.

Openssl 1.0.X ist still too buggy for me...

BTW: The mechanisms in 1.10 ist still the same

Still no duplicate-check in source-code

Regards,

Felix


Am 21.12.2015 14:46, schrieb Rich Salz via RT:
> As Ann points out, 128 bits is way too small, and this ticket does not justify
> a new release for 0.9.8
> Please update 0.9.8 is end of life.
> --
> Rich Salz, OpenSSL dev team; rs...@openssl.org
>
>


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.

[Srinivas Koripella via RT]

Hello all,
There is a minor issue with X509_STORE_CTX_init and its usage. Most of the 
callers of X509_STORE_CTX_init use a stack variable and pass its address as the 
ctx argument to this function.  However, X509_STORE_CTX_init in case of an 
error in the call to CRYPTO_new_ex_data does an OPENSSL_free on this stack 
variable. This in theory should be ok as the underlying  free implementation 
should probably be a  no-op as this address is from the stack.

However, on systems that does strict checks on allocated memory heap this can 
be a problem.  One potential fix could be to remove the OPENSSL_free and let 
the caller take responsibility for his memory.

Thanks.
Srinivas


___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.

[Viktor Dukhovni]

On Tue, Dec 22, 2015 at 04:33:45AM +, Srinivas Koripella via RT wrote:

> There is a minor issue with X509_STORE_CTX_init and its usage. Most of
> the callers of X509_STORE_CTX_init use a stack variable and pass its
> address as the ctx argument to this function.  However, X509_STORE_CTX_init
> in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free
> on this stack variable. This in theory should be ok as the underlying
> free implementation should probably be a  no-op as this address is from
> the stack.

Thanks for the report.  The bug was introduced way back on 2001/09/01
by commit 79aa04ef27f69a1149d4d0e72d2d2953b6241ef0 and is present
in OpenSSL 0.9.8 through 1.0.2.  

In the "master" development branch the extraneous "free" is gone,
but the code is still not quite right, because the memset removed
in 2001 really does belong (early) in X509_STORE_CTX_init() and
should have been removed from X509_STORE_CTX_cleanup() instead,
where zeroing data that is invalidated by cleanup is of course.

Try the (lightly tested) patch below my signature.

-- 
Viktor.

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index e41b445..cbb75b7 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -79,7 +79,8 @@ const EVP_CIPHER *enc;
 # define CLCERTS 0x8
 # define CACERTS 0x10
 
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+  STACK_OF(X509) **chain);
 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
 int options, char *pempass);
 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
@@ -594,7 +595,7 @@ int MAIN(int argc, char **argv)
 vret = get_cert_chain(ucert, store, );
 X509_STORE_free(store);
 
-if (!vret) {
+if (vret == X509_V_OK) {
 /* Exclude verified certificate */
 for (i = 1; i < sk_X509_num(chain2); i++)
 sk_X509_push(certs, sk_X509_value(chain2, i));
@@ -602,7 +603,7 @@ int MAIN(int argc, char **argv)
 X509_free(sk_X509_value(chain2, 0));
 sk_X509_free(chain2);
 } else {
-if (vret >= 0)
+if (vret != X509_V_ERR_UNSPECIFIED)
 BIO_printf(bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
 else
@@ -906,36 +907,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, 
char *pass,
 
 /* Given a single certificate return a verified chain or NULL if error */
 
-/* Hope this is OK  */
-
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+  STACK_OF(X509) **chain)
 {
 X509_STORE_CTX store_ctx;
-STACK_OF(X509) *chn;
+STACK_OF(X509) *chn = NULL;
 int i = 0;
 
-/*
- * FIXME: Should really check the return status of X509_STORE_CTX_init
- * for an error, but how that fits into the return value of this function
- * is less obvious.
- */
-X509_STORE_CTX_init(_ctx, store, cert, NULL);
-if (X509_verify_cert(_ctx) <= 0) {
-i = X509_STORE_CTX_get_error(_ctx);
-if (i == 0)
-/*
- * avoid returning 0 if X509_verify_cert() did not set an
- * appropriate error value in the context
- */
-i = -1;
-chn = NULL;
-goto err;
-} else
+if (!X509_STORE_CTX_init(_ctx, store, cert, NULL)) {
+*chain = NULL;
+return X509_V_ERR_UNSPECIFIED;
+}
+
+if (X509_verify_cert(_ctx) > 0)
 chn = X509_STORE_CTX_get1_chain(_ctx);
- err:
+else if ((i = X509_STORE_CTX_get_error(_ctx)) == 0)
+i = X509_V_ERR_UNSPECIFIED;
+
 X509_STORE_CTX_cleanup(_ctx);
 *chain = chn;
-
 return i;
 }
 
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index da89911..29aa5a4 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -255,7 +255,8 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) 
*untrusted,
 
 /* chain is an out argument. */
 *chain = NULL;
-X509_STORE_CTX_init(_ctx, store, signer, untrusted);
+if (!X509_STORE_CTX_init(_ctx, store, signer, untrusted))
+return 0;
 X509_STORE_CTX_set_purpose(_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
 i = X509_verify_cert(_ctx);
 if (i <= 0) {
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ab94948..f44a4a0 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2283,9 +2283,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE 
*store, X509 *x509,
 ctx->current_reasons = 0;
 ctx->tree = NULL;
 ctx->parent = NULL;
+/* Zero ex_data to make sure we're cleanup-safe */
+memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
 
 

[openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Felix via RT]

Hello,

I found out, that in openssl 0.9.8 a check is missing for duplicate 
primes of p and q, see below. This is relevant when generating RSA-Keys:


root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 
128
Generating RSA private key, 128 bit long modulus
...+++
.+++
e is 65537 (0x10001)
  p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -BEGIN RSA PRIVATE 
KEY-
MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC
CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/
Pr0Uvg==
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 
128
Generating RSA private key, 128 bit long modulus
.+++
.+++
e is 65537 (0x10001)
  p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -BEGIN RSA PRIVATE 
KEY-
MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB
AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu
HHeujcFd/Q==
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 
128
Generating RSA private key, 128 bit long modulus
.+++
...+++
e is 65537 (0x10001)
  p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -BEGIN RSA PRIVATE 
KEY-
MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR
AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj
yqUIUes=
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 
128
Generating RSA private key, 128 bit long modulus
..+++
.+++
e is 65537 (0x10001)
  p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -BEGIN RSA PRIVATE 
KEY-
MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V
AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW
mLQFBXBWbw==
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl genrsa 
128
Generating RSA private key, 128 bit long modulus
...+++
.+++
e is 65537 (0x10001)
  p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -BEGIN RSA PRIVATE 
KEY-
MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC
CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz
yUnU6g==
-END RSA PRIVATE KEY-
root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps#


As, in my environment, p qnd q are identical in about 50% of the cases, 
this is in my opinion a big security hole, because p and q can be 
determined from N by calculating the square-root of N.

I will try to test this with a newer release of openssl as well.

Thank you.

Regards,

Felix

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4193] Minor Issue with X509_STORE_CTX_init and it's callers.

[Viktor Dukhovni]

On Tue, Dec 22, 2015 at 06:53:54AM +, Viktor Dukhovni wrote:

> On Tue, Dec 22, 2015 at 04:33:45AM +, Srinivas Koripella via RT wrote:
> 
> > There is a minor issue with X509_STORE_CTX_init and its usage. Most of
> > the callers of X509_STORE_CTX_init use a stack variable and pass its
> > address as the ctx argument to this function.  However, X509_STORE_CTX_init
> > in case of an error in the call to CRYPTO_new_ex_data does an OPENSSL_free
> > on this stack variable. This in theory should be ok as the underlying
> > free implementation should probably be a  no-op as this address is from
> > the stack.
> 
> Thanks for the report.  The bug was introduced way back on 2001/09/01
> by commit 79aa04ef27f69a1149d4d0e72d2d2953b6241ef0 and is present
> in OpenSSL 0.9.8 through 1.0.2.  
> 
> In the "master" development branch the extraneous "free" is gone,
> but the code is still not quite right, because the memset removed
> in 2001 really does belong (early) in X509_STORE_CTX_init() and
> should have been removed from X509_STORE_CTX_cleanup() instead,
> where zeroing data that is invalidated by cleanup is of course.
> 
> Try the (lightly tested) patch below my signature.

Note, that patch was for 1.0.2e.  No idea how cleanly it applies
to other releases.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4194] engine command regression in 1.1

[Roumen Petrov via RT]

Hello,

OpenSSL engine command allows user to specify cryptographic module name 
at any position.
For instance README.ENGINE recommend following:
   openssl engine dynamic \
 -pre SO_PATH:/lib/libfoo.so \
   

The master branch (future 1.1) requires engine names to be specified 
after all options. This is regression introduced by new common " 
option-parsing".

Also new summary lack information for engine name as command line argument.


Regards,
Roumen Petrov

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] about "Rename some BUF_xxx to OPENSSL_xxx"

[Roumen Petrov]

Hello,

After modification OPENSSL_strlcpy is declared twice.

Regards,
Roumen
>From 5f5b81e162eae025dcc40a7074a973621c7dac33 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Mon, 21 Dec 2015 18:45:06 +0200
Subject: [PATCH 02/15] redundant redeclaration of 'OPENSSL_strlcpy'

---
 include/openssl/crypto.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 8247f68..81e944d 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -332,7 +332,6 @@ int CRYPTO_is_mem_check_on(void);
 # define OPENSSL_free(addr)  CRYPTO_free(addr)
 
 size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz);
-size_t OPENSSL_strlcpy(char *dst, const char *src, size_t siz);
 size_t OPENSSL_strlcat(char *dst, const char *src, size_t siz);
 size_t OPENSSL_strnlen(const char *str, size_t maxlen);
 
-- 
1.8.4

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3810] [PATCH] Improved P256 ECC performance by means of a dedicated function for modular inversion modulo the P256 group order

[Andy Polyakov via RT]

Hi,

> This patch is a contribution to OpenSSL.
> 
> It concerns the P256 ECC implementation.
> 
> The patch improves upon our previous submission, by providing a dedicated 
> function to perform modular inversion modulo the P256 group order.
> 
> Results:
> The performance improvements, for single threaded applications, compared to 
> the current (development) version of OpenSSL are as follows.
> 
> (measured by "openssl speed" utility)
> 
> 
> On Architecture Codename Haswell:
> ECDSA sign: 1.28X
> ECDSA verify: 1.10X
> 
> On Architecture  Broadwell:
> ECDSA sign: 1.42X
> ECDSA verify: 1.18X
> 
> We license the whole submission under BSD license.
> 
> Developers and authors:
> ***
> Shay Gueron (1, 2), and Vlad Krasnov (3)
> (1) University of Haifa, Israel
> (2) Intel Corporation, Israel Development Center, Haifa, Israel
> (3) CloudFlare, Inc.
> ***

Attached is version refactored for updated layout. It's few percent
faster than original (for several small reasons, e.g. avoiding excessive
%rip-relative addressing because it doesn't fuse, optimizing
back-to-back value passing through registers in squaring) and probably
more readable (for example squaring uses $acc6 and $acc7). Then I've got
nervous around possibility of unaccounted carry and rearranged reduction
step in manner that precludes it. To be more specific here is fragment
of original reduction step:

mov 8*1+.Lord(%rip), $t4
mul $t0
add $t1, $acc1
adc \$0, $t3
add $t4, $acc1

mov $t0, $t1
adc $t3, $acc2
adc \$0, $t1
sub $t0, $acc2
sbb \$0, $t1

Concern was that if $t0 happens to be all-ones, then you risk
unaccounted carry in last adc above. Well, upon closer look concern
appears to be false, but as it's a bit counter-intuitive alternative is
provided anyway.


diff --git a/crypto/ec/asm/ecp_nistz256-x86_64.pl b/crypto/ec/asm/ecp_nistz256-x86_64.pl
index c2621c2..39e60da 100755
--- a/crypto/ec/asm/ecp_nistz256-x86_64.pl
+++ b/crypto/ec/asm/ecp_nistz256-x86_64.pl
@@ -2,7 +2,13 @@
 
 ##
 ##
-# Copyright 2014 Intel Corporation   #
+# Copyright (c) 2014,2015 Intel Corporation   #
+# Copyright (c) 2015 CloudFlare, Inc.#
+# All rights reserved.   #
+##
+# This software is dual licensed under the Apache V.2.0 and BSD licenses #
+##
+##
 ##
 # Licensed under the Apache License, Version 2.0 (the "License");#
 # you may not use this file except in compliance with the License.   #
@@ -18,10 +24,41 @@
 ##
 ##
 ##
+#  Redistribution and use in source and binary forms, with or without#
+#  modification, are permitted provided that the following conditions are#
+#  met:  #
+##
+#  #  Redistributions of source code must retain the above copyright #
+# notice, this list of conditions and the following disclaimer.  #
+##
+#  #  Redistributions in binary form must reproduce the above copyright  #
+# notice, this list of conditions and the following disclaimer in the#
+# documentation and/or other materials provided with the #
+# distribution.  #
+##
+#  #  Neither the name of the copyright holders nor the names of its #
+# contributors may be used to endorse or promote products derived from   #
+# this software without specific prior written permission.   #
+##
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS   #
+#  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED #
+#  TO, THE 

[openssl-dev] [openssl.org #4191] Re: Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Felix via RT]

P.S.

Problem still exists in Version 0.9.8zh.

Regards,

Felix

Am 21.12.2015 12:00, schrieb Felix:
> Hello,
>
> I found out, that in openssl 0.9.8 a check is missing for duplicate 
> primes of p and q, see below. This is relevant when generating RSA-Keys:
>
>
> root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl 
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++
> .+++
> e is 65537 (0x10001)
>  p:DBF7DA8B44ADCDD1 Phase 1 q:DBF7DA8B44ADCDD1 -BEGIN RSA PRIVATE 
> KEY-
> MGICAQACEQC+ePfpNx2CzoNDm/Aejm7HAgMBAAECEF/t7vYfUxaga1+R+6EPYiEC
> CQDdrD6E0hkhFwIJANv32otErc3RAgkAz2HVG21zFQECCEW9PRKugZQhAgg9HQ6/
> Pr0Uvg==
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl 
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++
> .+++
> e is 65537 (0x10001)
>  p:DC32B965793AF86F Phase 1 q:C6F919F7AAA5EC71 -BEGIN RSA PRIVATE 
> KEY-
> MGUCAQACEQCrJX8Qy0q3bw5VN6G1mPz/AgMBAAECEQCbPCOI5BwdTE4K+TuIwOaB
> AgkA3DK5ZXk6+G8CCQDG+Rn3qqXscQIJAKbu/YZkRcSZAgkAnE+DS+K+uLECCQCu
> HHeujcFd/Q==
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl 
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> .+++
> ...+++
> e is 65537 (0x10001)
>  p:EFAB9BC12A217257 Phase 1 q:C4B0A783D183DA55 -BEGIN RSA PRIVATE 
> KEY-
> MGMCAQACEQC4JMYPVKDUPrZfVf8B/gzjAgMBAAECEQCd8r0IbVi+c84EAM4bn4jR
> AgkA76ubwSohclcCCQDEsKeD0YPaVQIIaHDg8+E3KAsCCELVeAZdof0FAgkAyqHj
> yqUIUes=
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl 
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ..+++
> .+++
> e is 65537 (0x10001)
>  p:CA1A6069FBCE0E6B Phase 1 q:CA1A6069FBCE0E6B -BEGIN RSA PRIVATE 
> KEY-
> MGUCAQACEQDIjp/x7uVVrCNdf9Y1SpStAgMBAAECEQCyNiIkPe7lN1KFh4ubrk8V
> AgkA/gq1dP5Y/0cCCQDKGmBp+84OawIJALlWjL4XFkzfAgkArBEa5wD4pXMCCQDW
> mLQFBXBWbw==
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps# ./openssl 
> genrsa 128
> Generating RSA private key, 128 bit long modulus
> ...+++
> .+++
> e is 65537 (0x10001)
>  p:F4D74AA8BE84C4A3 Phase 1 q:D83D57FC191345D1 -BEGIN RSA PRIVATE 
> KEY-
> MGICAQACEQDO0FJxcT23cfxgf5/WfXgTAgMBAAECECNo7cS4o92FmsN9eYgtFiEC
> CQD010qovoTEowIJANg9V/wZE0XRAghhDEkqk8HakwIJAKFKKD12qqRxAggvO+Uz
> yUnU6g==
> -END RSA PRIVATE KEY-
> root@debian6:/home/felix/Downloads/openssl-0.9.8o/apps#
>
>
> As, in my environment, p qnd q are identical in about 50% of the 
> cases, this is in my opinion a big security hole, because p and q can 
> be determined from N by calculating the square-root of N.
>
> I will try to test this with a newer release of openssl as well.
>
> Thank you.
>
> Regards,
>
> Felix

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4190] Missing Check for duplicate Prime-Value of p and q in openssl 0.9.8o

[Ann]

Felix,
the real security hole is your key length.
For a key length greater 1024 p and q should never be identical. The
chance of p being not a prime is probably greater.
In case p=q the Euler function will be p(p-1), whereas OpenSSL uses
(p-1)(q-1) , i.e. (p-1)^2. In this case RSA, i.e. c:=m^e, m:=c^d, will
not work.
/Ann.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev