Re: [ADVISORY] Timing Attack on OpenSSL
Hi Ben Laurie, Do you mean that there would be a release (say 0.9.6j and 0.9.7b) with this patch included. Regards, Umesh Ben Laurie wrote: I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff -- OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. -- Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Use of new option -crl_check in openssl 0.9.7?
Hello, does anybody know how to use the options "crl_check" and "crl_check_all" with the command "openssl smime" correctly? Is it only used within a verification process? Which certificates is it taking for a comparison in a given crl? Access to a crl saved in a file resulted in an error: "Parameter -crl_check: CRL wird nicht gefunden". Thank you for your help. Helga
Setting an IV
Hi, I'm using Openssl to perform Encryption / Decryption operations in PKCS#7 format. I use the API set PKCS7_ ... I have to set a particular IV for the interoperability with an external product. What can I do? Can I set an IV in PKCS_encode / decode or I have to use lower level api like EVP_cipher... ? Thank you. Emanuele __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Encrypt/Decrypt without socket
Hello, I'm tryng to use openssl to encrypt and decrypt some messages. I don't use sockets because I must incapsulate my packet. I do well the TLS handshake, and now I want decrypt the message I capture with pcap and encrypt the message I send with libnet. I have try with SSL_read and SSL_write but they don't work. Someone can send me some example or some link with example thanks Daniele Brevi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
please help me!!
i have try many times. i got the same error message. == perl Configure VC-WIN32 .\ms\do_nt.bat nmake -f .\ms\nt.mak ps .net vc++(vc++ v7) . ui_compat.c cl /Fotmp32\krb5_asn.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2 /Ob2 / Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DD SO_WIN32 -DOPENSSL_SYSNAME_WINNT /Fdout32 -DOPENSSL_NO_KRB5 -c .\crypto\krb5\kr b5_asn.c cl : Command line warning D4029 : optimization is not available in the standard edition compiler krb5_asn.c lib /out:out32\libeay32.lib @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nmF2.tmp 'lib' ¤£¬O¤º³¡©Î¥~³¡«ü¥O¡B ¥i°õ¦æªºµ{¦¡©Î§å¦¸ÀÉ¡C NMAKE : fatal error U1077: 'lib' : return code '0x1' Stop. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Use of new option -crl_check in openssl 0.9.7?
On Mon, Mar 17, 2003, Krause, Helga wrote: Hello, does anybody know how to use the options crl_check and crl_check_all with the command openssl smime correctly? Erm yes: I wrote that bit :-) You have to add a CRL to either the file mentioned with the -CAfile option or the directory for -CApath (don't forget c_rehash). Is it only used within a verification process? Yes it is only used when a certificate is verified. This effectively means S/MIME signature verification only. Which certificates is it taking for a comparison in a given crl? The signers certificate(s) or all certificates in a chain if crl_check_all is present. Access to a crl saved in a file resulted in an error: Parameter -crl_check: CRL wird nicht gefunden. Well that isn't a standard OpenSSL error. Are you using the standard 'smime' command or something else? My knowledge of other languages is somewhat limited but does that translate as CRL was not found? If so then the current CRL probably isn't in the relevant place. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Setting an IV
On Mon, Mar 17, 2003, Aonzo Emanuele wrote: Hi, I'm using Openssl to perform Encryption / Decryption operations in PKCS#7 format. I use the API set PKCS7_ ... I have to set a particular IV for the interoperability with an external product. What can I do? Can I set an IV in PKCS_encode / decode or I have to use lower level api like EVP_cipher... ? I don't think there is a clean way to do that. Setting a custom IV is a weird thing to have to do. The standard envelope encryption code genrates a random IV and encodes that in the envelopedData structure. The decryption code retrieves it from the structure. The IV generation and encoding is done all at once in PKCS7_dataInit(). You could hack that I suppose so the IV can be externally specified. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help me!!
On Mon, Mar 17, 2003, luke wrote: i have try many times. i got the same error message. == perl Configure VC-WIN32 .\ms\do_nt.bat nmake -f .\ms\nt.mak ps .net vc++(vc++ v7) . ui_compat.c cl /Fotmp32\krb5_asn.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2 /Ob2 / Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DD SO_WIN32 -DOPENSSL_SYSNAME_WINNT /Fdout32 -DOPENSSL_NO_KRB5 -c .\crypto\krb5\kr b5_asn.c cl : Command line warning D4029 : optimization is not available in the standard edition compiler krb5_asn.c lib /out:out32\libeay32.lib @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nmF2.tmp 'lib' ¤£¬O¤º³¡©Î¥~³¡«ü¥O¡B ¥i°õ¦æªºµ{¦¡©Î§å¦¸ÀÉ¡C NMAKE : fatal error U1077: 'lib' : return code '0x1' Stop. Looks like a crippled restricted version of VC++. Try removing the /O* options by manually editing ms\nt.mak, they are on the CFLAG line right at the top. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Does order matter in certificates?
I ran into a small snag using OpenSSL for email encrypting, whether I use it from inside mutt or standalone. I received a signed email from my test account (using a free thawte email cert). I saved the corresponding cert in the place necessary for mutt to use it for encryption. Mutt simply throws the signature through openssl pkcs7 -print_certs and throws the resulting certificate chain into `openssl x509 -hash -noout`.0 . I am able to use this cert without any problems to encrypt back to the sender, and can decrypt it there. Looking at the resulting certificate, the order in the file is as follows: (1) The signer cert (Signed by (3) ) (2) The CA root cert (Self-signed) (3) An intermediate cert (Signed by (2) ) I received email from someone else, signed using a digsigtrust.org certificate. I added it in the same way, but the recipient is not able to decrypt email from me encrypted with this certificate. I looked at the actual cert file, and this is how it is arranged: (1) An intermediate cert (Signed by (2) ) (2) The CA root cert (Self-signed) (3) An intermediate cert (Signed by (1) ) (4) The signer cert (Signed by (3) ) So it turns out email I thought I was encrypting with (4) was actually being encrypted with (1). Of course the recipient could not decrypt. Is there an easy way, besides editing the certs by hand, to separate out: a - the signer's cert alone (depth 0 in the chain) b - the root ca cert c - All other intermediate certs Also, is this a borked setup on the other person's machine that their certificate comes out upside-down like that? I have tested with (ugh) Outlook Express also, and this upside-down certificate is properly used (Outlook separates out the a, b, and c parts properly). -- Jim Ramsay [EMAIL PROTECTED] PGP Key ID: 0xBE28F488 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Automated certificate install on IE
I have created a self-signed certificate with OpenSSL. I would like to be able to import the certificate into Internet Explorer without user intervention (the client and server are the same box). Does anyone know how to import a certificate in an automated fashion, without the user having to push any buttons? Are there any registry settings or tools that can help me with this? I posted the question on an IE forum and got no responses, so I thought I'd try here. Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: X509_verify question
On Mon, Mar 17, 2003, Nils Larsch wrote: Kocsis Peter wrote: HEllo! I am a newby, and I need some help. A want to check, whether the certificate is signed by the provided key. I generate both the key (firstly RSA) and the certificate. I generate an RSA-key, assign it to an EVP_PKEY structure, sign the cert with it, than use X509_get_pubkey() to get the public key, and verify the signature with the pubkey, X509_verify(cert, pubkey), but it always results -1, and I dont know why. Try to get more information about the failure with the ERR_get_error() function. Then if you just get an apparently meaningless string of digits read the FAQ. Once you've read that and can get a human readable string read the FAQ again to see what it means. Or you could just read the FAQ and see which question and answer you think is relevant to both :-) Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Trouble with MACs and non-matching
Ben: I don't know if the utility works. (Sorta hoping for some confirmation on that.) I suppose it does. I also don't know how complicated it is to run. The user who volunteered to test it was happier downloading Mozilla with which there is no problem. Now he's up and running I doubt I'll be able to get him to try something else. :) Thanks, Ken At 10:45 AM 03/17/2003 , you wrote: Ken Loomis wrote: ... The problem with IE on the Mac, is that it doesn't offer any means to install a certificate. Apparently there's a utility Mac users can download and run to do this. I take it downloading the file then opening that file with IE doesn't work on the mac? -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HMAC SHA1 source code
Sorry for the double hit last time. openssl/crypto/sha/ refers thefunctions: SHA1_Init(), SHA1_Update() SHA1_Final(), but there seems to be no reference of their definition in the source. Help appreciated.. Rich Salz [EMAIL PROTECTED] wrote: Nikhil Chauhan wrote: Does anyone know a freely available implementation of the HMAC-SHA1 algorithm.Are you trolling for email names? you posted your note twice to the openssl mailing list. download that source and look in crypto/hmac.RFC 2104 has a free hmac-md5 implementation./r$Do you Yahoo!? Yahoo! Web Hosting - establish your business online
Re: Automated certificate install on IE
On Mon, Mar 17, 2003, Moerk, Michael wrote: I have created a self-signed certificate with OpenSSL. I would like to be able to import the certificate into Internet Explorer without user intervention (the client and server are the same box). Does anyone know how to import a certificate in an automated fashion, without the user having to push any buttons? Are there any registry settings or tools that can help me with this? All the standard APIs prompt the user before adding a root CA into Windows certificate stores. This is a security measure because if you could silently add a certficate then you could genrate arbitrary certificates chained to the root CA. This would allow server impersonation and ActiveX signing which would allow an attacker to run whatever malicious code they wanted to. Naturally there *is* a way to do this because the various warnings and wizards are just software and you could theoretically do exactly what they do (bypassing the official APIs) but without the prompting. However MS, understandably, wont give details about how to do this and AFAIK no one else has either. BTW please turn word wrap on you mailer: it put that lot all on one line... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HMAC SHA1 source code
openssl/crypto/sha/ refers the functions: SHA1_Init(), SHA1_Update() SHA1_Final(), but there seems to be no reference of their definition in the source. man grep I guarantee that the functions are there. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HMAC SHA1 source code
http://www.aleksey.com/xmlsec/bart.gif Aleksey Rich Salz wrote: openssl/crypto/sha/ refers the functions: SHA1_Init(), SHA1_Update() SHA1_Final(), but there seems to be no reference of their definition in the source. man grep I guarantee that the functions are there. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftp implicit ssl connection
Thank you all friends for your suggestions. I'll try some of them and i'll be back for results ;-) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA padding scheme, plz help!
That helped a lot! Thanks, Greg! Michelle On Fri, 14 Mar 2003, Gregory Stark wrote: - Original Message - From: Michelle Li [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 9:38 AM Subject: RSA padding scheme, plz help! On the card, the supported padding schemes are RSA_ISO14888, RSA_ISO9796, RSA_PKCS1, and RSA_NO_PAD. I was told that RSA_ISO9796 and RSA_PKCS1 are suitable for data of limited length (k/2 and k-11 max, respectively, where k is the RSA key size in bytes). Some of my data will be a lot more than that, so I guess I can't use those two? But which of these are supported by openssl? I believe the first two are not supported and are for RSA signatures anyway. RSA_PKCS1 and RSA_NO_PAD are supported for encryption. I'm new to cryptography, so any advises and help would be greatly appreciated. Thanks a lot! Usually, large amounts of data are not encrypted with RSA. It can be done, but it is much slower then alternative methods. The usual technique employs something called a 'digital envelope'. It combines the speed of a fast symmetric encryption algorithm like AES, DES, 3DES, Blowfish, etc. with the benefits of public key techniques. It works as follows: Consider a stream of data bytes that you want to encrypt, b0, b1, b2, ..., b1 (1 is just an example size), and suppose you are using 1024 bit RSA. In your notation above k=1024/8=128 bytes. Using the RSA_PKCS1 padding we can encrypt up to 128-11=117 bytes. Just take the first 117 bytes of data, b0 through b116, and RSA encrypt them. You get 128 bytes out. Then take the next 117 bytes of data, b117 through b233, and RSA encrypt them. You can another 128 bytes out. Continue on in this manner until you have encrypted the all the data. On the decrypt side you just reverse the process. Take the first 128 bytes of data and RSA decrypt them. The result is the first 117 bytes of plaintext. Using the digital envelope technique instead, you first select a symmetric encryption algorithm. Lets use Blowfish as an example. Next generate a random blowfish key of 16 bytes, call it BKEY. Now you encrypt all the data using blowfish with key BKEY and only encrypt the 16 byte quantity BKEY with RSA. Send the RSA encrypted BKEY and the blowfish encrypted data to the recipient. The recipient use RSA decryption to recover BKEY, and then uses blowfish with the just recovered BKEY to decrypt the rest of the data. For typical sized messages this will be between 200-2000 times faster than using just RSA. It is also a little more efficient with bandwidth, since pure RSA encryption takes 117 bytes in = 128 bytes out. Hope this helps, == Greg Stark [EMAIL PROTECTED] == __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Windows does not have enough information to verify this certificate
Probably. Go to tools-internet options-content-certificates-personal Click view then certificate path Mark Liu [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/14/03 09:24 PM Please respond to openssl-users To:[EMAIL PROTECTED] cc: Subject:Windows does not have enough information to verify this certificate When we view a certificate issued by some CA, windows may tell us this: Windows does not have enough information to verify this certificate. What does this mean? Does it mean that I have not installed the CA cert as a trusted root CA? __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Does order matter in certificates?
Tried to contact Jim Ramsay offline but ran into a very vicious spam killer which seemed to be broken when I followed his directions for bypassing it. I am interested in hearing from people doing peer to peer communications (like email) using certificates from a non-trivial certificate heirarchy (e.g., one containing intermediate certificates between the root and end-user certificates). My immediate interest is how to load multiple certificates into the various web browsers, but I would be grateful for any and all pointers to information and/or the people who are working out how to do this in a compatable cross-platform manner. [EMAIL PROTECTED] Dr. Stephen Henson wrote: On Thu, Mar 13, 2003, Jim Ramsay wrote: I ran into a small snag using OpenSSL for email encrypting, whether I use it from inside mutt or standalone. I received a signed email from my test account (using a free thawte email cert). I saved the corresponding cert in the place necessary for mutt to use it for encryption. Mutt simply throws the signature through openssl pkcs7 -print_certs and throws the resulting certificate chain into `openssl x509 -hash -noout`.0 . I am able to use this cert without any problems to encrypt back to the sender, and can decrypt it there. Looking at the resulting certificate, the order in the file is as follows: (1) The signer cert (Signed by (3) ) (2) The CA root cert (Self-signed) (3) An intermediate cert (Signed by (2) ) I received email from someone else, signed using a digsigtrust.org certificate. I added it in the same way, but the recipient is not able to decrypt email from me encrypted with this certificate. I looked at the actual cert file, and this is how it is arranged: (1) An intermediate cert (Signed by (2) ) (2) The CA root cert (Self-signed) (3) An intermediate cert (Signed by (1) ) (4) The signer cert (Signed by (3) ) So it turns out email I thought I was encrypting with (4) was actually being encrypted with (1). Of course the recipient could not decrypt. Is there an easy way, besides editing the certs by hand, to separate out: a - the signer's cert alone (depth 0 in the chain) b - the root ca cert c - All other intermediate certs Also, is this a borked setup on the other person's machine that their certificate comes out upside-down like that? I have tested with (ugh) Outlook Express also, and this upside-down certificate is properly used (Outlook separates out the a, b, and c parts properly). The order is effectively arbitrary [1]. However there is additional information in the PKCS#7 structure which allows the signer certificate to be located (its issuer name and serial number). The OpenSSL 'smime' utility can be used to extract the signer's certificate from arbitrarily ordered certificates using the -signer option with -verify. So if you do: openssl smime -verify -in whatever.email -signer signerout.pem ... it should work. Note this will *write* the signers certificate(s) to signerout.pem. [1] Well I'm simplifying a bit here. For the technically minded or just curious there are two encoding schemes which may be used. The certificates are in a SET OF structure which can be encoded using DER or BER. For DER the certificates are sorted in lexical order that is comparing the binary data: the way stuff is encoded effectively means that the smallest will appear first with this option and largest last. For BER the DER rules *may* be applied or any old order used. OpenSSL effectively uses the BER version when encoding for various reasons[2]. [2] These are a bit complex and not really relevant to this issue. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PRNG_NOT_SEEDED, Even after calling RAND_add() in client
hi, I get a PRNG_NOT_SEEDED error even after i call RAND_add() function. I am calling the function at the begining before SSL initialization. Here is my sample client running on embedded board (ThreadX os). void ssl_client (void) { int err; int sd; struct sockaddr_in sa; SSL_CTX* ctx; SSL* ssl; X509*server_cert; char*str; SSL_METHOD *meth; int theArg,r,success,theStatus; fd_set readfds,writefds; char c2s[BUFSIZZ],s2c[BUFSIZZ]; unsigned long Time=time(NULL); RAND_add(Time,sizeof(Time),0); SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); SSL_CTX_set_cipher_list(ctx,ALL); . . . After the client sucessfully reads the serverhello, server done message and calls ssl3_send_client_key_exchange() i get this Error. Can anyone please help to figure out this issue. I tried what was mentioned on FAQ.. regards, raj __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG_NOT_SEEDED, Even after calling RAND_add() in client
I get a PRNG_NOT_SEEDED error even after i call RAND_add() function. I am calling the function at the begining before SSL initialization. ... unsigned long Time=time(NULL); RAND_add(Time,sizeof(Time),0); You should call RAND_status which returns true/false to tell you if you have enough entropy. Your code is bad for several reasons: Assuming an unsigned long is 4 bytes on your system, you're adding 32 bits of entropy, which is very very low. (You'd want to give at least 40 bits to properly use 40 bit crypto, etc.) Secondly, time(NULL) is not providing 32 full bits of entropy. In an entire day time(NULL) will produce only 86400 different values, which has 17 bits total. The actual entropy of those bits is still damned low. Lastly, RAND_add expects the last arg to be the expected entropy of your system. Now here you've done a fairly accurate assesment in saying that even though an unsigned long is 32 bits the amount of entropy being supplied by your unsigned long (initialized from time(NULL) ) is low (you said 0 bytes). Try getting a better source of random data and then use RAND_add with a non-zero final value, where that value accurately defines how much randomness you expect in the data. You might want to read the RAND_add man page. -- Brian Hatch Don't give Systems andaway the homeworld. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed pgp0.pgp Description: PGP signature
Re: [ADVISORY] Timing Attack on OpenSSL
Is this a new advisory. I've patched for a previous timing attack 2 weeks ago. On Mon, 2003-03-17 at 03:47, Ben Laurie wrote: I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Setting an IV
Hi, I'm using Openssl to perform Encryption / Decryption operations in PKCS#7 format. I use the API set PKCS7_ ... I have to set a particular IV for the interoperability with an external product. What can I do? Can I set an IV in PKCS_encode / decode or I have to use lower level api like EVP_cipher... ? Thank you. Emanuele __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ADVISORY] Timing Attack on OpenSSL
This is a different vulnerability. The one you patched two weeks ago was caused by a failure to decrypt messages when the MAC comparison failed. This vulnerability is a timing attack against the RSA algorithms. The Slashdot discussion is here: http://slashdot.org/article.pl?sid=03/03/14/0012214mode=threadtid=172 The paper is here: http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html Christopher Fowler wrote: Is this a new advisory. I've patched for a previous timing attack 2 weeks ago. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ADVISORY] Timing Attack on OpenSSL
I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth)