Dynamic engine problems
Hello! We are implementing custom engine providing GOST algorithms. We get a SEGFAULT on app_shutdown. We didn't find out what is wrong with our code. Engine code is attached. We use 20050112 snapshot of 0.9.8 branch. -- SY, Dmitry Belyavsky (ICQ UIN 6575) #include string.h #include openssl/err.h #include openssl/evp.h #include openssl/bn.h #include openssl/engine.h #include openssl/objects.h static int NID_minimum_cipher_GOST = NID_undef; #define OID_gost89 1.2.643.2.9.1.1.1 #define SN_gost89 gost89 #define LN_gost89 GOST 28147-89 symmetric cipher int register_minimum_NID (void) { NID_minimum_cipher_GOST = OBJ_create(OID_gost89, SN_gost89, LN_gost89); if (NID_minimum_cipher_GOST == NID_undef) {goto err;} return 1; err: NID_minimum_cipher_GOST = NID_undef; return 0; } /* Fake crypt functions */ int cce_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc){return 1;} int cce_cipher_do(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl){return 1;} int cce_cipher_cleanup(EVP_CIPHER_CTX *ctx){return 1;} #define minimum_LIB_NAME minimum GOST engine static const char *engine_minimum_id = minimum; static const char *engine_minimum_name = minimum GOST engine; static int cce_destroy(ENGINE *e); static int cce_init(ENGINE *e); static int cce_finish(ENGINE *e); /* Engine commands */ static const ENGINE_CMD_DEFN cce_cmd_defns[] = { {0, NULL, NULL, 0} }; /* Symetric cipher and digest function registrar */ static int cce_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid); static int cce_cipher_nids[]= {NID_undef,0}; static EVP_CIPHER cipher_gost = { NID_undef, 1,/*block_size*/ 32,/*key_size*/ 8, EVP_CIPH_CFB_MODE|EVP_CIPH_CUSTOM_IV|EVP_CIPH_NO_PADDING, cce_cipher_init, cce_cipher_do, cce_cipher_cleanup, 0,/* ctx_size */ NULL, NULL, NULL, NULL, }; static int cce_init(ENGINE *e) { return 1; } static int cce_finish(ENGINE *e) { return 1; } static int cce_destroy(ENGINE *e) { ENGINE_unregister_ciphers(e); OBJ_cleanup(); return 1; } static int bind_cce (ENGINE *e,const char *id) { if (id strcmp(id, engine_minimum_id)) return 0; if (!ENGINE_set_id(e, engine_minimum_id)) { printf(ENGINE_set_id failed\n); return 0; } if (!ENGINE_set_name(e, engine_minimum_name)) { printf(ENGINE_set_name failed\n); return 0; } if (!register_minimum_NID()) return 0; /* set up NIDs */ cipher_gost.nid = NID_minimum_cipher_GOST; /* end set up NIDs */ if (! ENGINE_set_ciphers(e, cce_ciphers)) { printf(ENGINE_set_ciphers failed\n); return 0; } if ( ! ENGINE_set_destroy_function(e, cce_destroy) || ! ENGINE_set_init_function(e,cce_init) || ! ENGINE_set_finish_function(e,cce_finish)) return 0; if ( ! ENGINE_register_ciphers(e) /* These two actually should go in LIST_ADD command */ || ! EVP_add_cipher(cipher_gost) ) return 0; return 1; } #ifdef _WIN32 extern __declspec( dllexport ) #endif #ifndef OPENSSL_NO_DYNAMIC_ENGINE IMPLEMENT_DYNAMIC_BIND_FN(bind_cce); IMPLEMENT_DYNAMIC_CHECK_FN(); #else static ENGINE *engine_cce(void) { ENGINE *ret = ENGINE_new(); if(!ret) return NULL; if(!bind_cce(ret, engine_minimum_id)) { ENGINE_free(ret); return NULL; } return ret; } void ENGINE_load_cce(void) { /* Copied from eng_[openssl|dyn].c */ ENGINE *toadd = engine_cce(); if(!toadd) return; ENGINE_add(toadd); ENGINE_free(toadd); ERR_clear_error(); } #endif /* OPENSSL_NO_DYNAMIC_ENGINE */ static int cce_ciphers (ENGINE *e,const EVP_CIPHER **cipher, const int **nids, int nid) { int ok = 1; if (!cipher) { /* return list of supported nids */ if (cce_cipher_nids[0] == NID_undef) { cce_cipher_nids[0] = NID_minimum_cipher_GOST; } *nids = cce_cipher_nids; return 1; /* Only one cipher supported */ } if(nid == NID_minimum_cipher_GOST) { *cipher = cipher_gost; } return ok; }
Re: Dynamic engine problems
In message [EMAIL PROTECTED] on Mon, 17 Jan 2005 11:06:49 +0300 (MSK), Dmitry Belyavsky [EMAIL PROTECTED] said: beldmit We are implementing custom engine providing GOST algorithms. beldmit We get a SEGFAULT on app_shutdown. That's because of the call to ENGINE_unregister_ciphers() in cce_destroy(). Can I suggest you take a look at, for example, demos/engines/rsaref/ for a working example to look at? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Dynamic engine problems
Hello! On Mon, 17 Jan 2005, Richard Levitte - VMS Whacker wrote: beldmit We are implementing custom engine providing GOST algorithms. beldmit We get a SEGFAULT on app_shutdown. That's because of the call to ENGINE_unregister_ciphers() in cce_destroy(). Can I suggest you take a look at, for example, demos/engines/rsaref/ for a working example to look at? Thank you very much. Should we call ENGINE_unregister_ciphers any time really? What are they for? -- SY, Dmitry Belyavsky (ICQ UIN 6575) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Dynamic engine problems
In message [EMAIL PROTECTED] on Mon, 17 Jan 2005 13:27:03 +0300 (MSK), Dmitry Belyavsky [EMAIL PROTECTED] said: beldmit Thank you very much. Should we call ENGINE_unregister_ciphers beldmit any time really? What are they for? It's a function to be called from the application when wanting fine-tuned control of the stuff that the engine module delivers. However, it all you want to do is to clean up at the end, ENGINE_cleanup() (which is called from app_shutdown()) is all you need. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Writing to a mem BIO instead of using SSL_Write
Hi. I'm trying (with no success) to detach SSL from a socket, and use it to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want to write the encrypted data to a mem BIO (or just a buffer) and send it by myself (and do the reverse operation on receive). I will do this just after the initial negotiation. All the information will be encrypted, I just need to do the send/recv by myself. I need to change an existing application to use SSL. I'll need to put the already encrypted buffer in a queue, to be sent by another thread. The encryption thread doesn't have control over the socket. How can I do this? Thanks, Strauss __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
using OpenSSL and NSS in same project
Hi All, I am trying to use OpenSSL and NSS(Mozilla) toolkit in the same project. When I try to compile the project It gives me an error error C2733: second C linkage of overloaded function 'SHA1_Update' not allowed c:\open.tar\openssl_debug_updated\openssl-0.9.7e\inc32\openssl\sha.h(116) : see declaration of 'SHA1_Update' same is the error for MD5_Update and MD2_Update. Now I couldn't find some way to resolve this problem so I tried to rename the functions MD5_Update, MD2_Update and SHA1_Update in the whole openSSL source with MD5_UpdateA, MD2_UpdateA and SHA1_UpdateA. When I tried to build the dll then it gave me errors of some kind of exporting symbols so I tried to build static debug for this and it worked fine but the SHA1_Update still couldn't be resolved and is giving me the following error link /nologo /subsystem:console /machine:I386 /opt:ref /debug /out:out32 .dbg\md2test.exe @E:\DOCUME~1\aftab\LOCALS~1\Temp\nma03100. libeay32.lib(m_sha1.obj) : error LNK2001: unresolved external symbol _SHA1_Updat eA out32.dbg\md2test.exe : fatal error LNK1120: 1 unresolved externals NMAKE : fatal error U1077: 'link' : return code '0x460' I want to know that is there any better way to resolve this issue, if I some how get successful in doing it the way I am then what problem can it cause afterwards. Regards, Muhammad Aftab smime.p7s Description: S/MIME cryptographic signature
Re: SSL (or alike) over UDP
Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
* Ben Laurie wrote: Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. It says in the book Web Security Commerce by Simson Garfinkel, Gene Spafford that SSL cannot use UDP. I read that bit just the other day :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL (or alike) over UDP
Shaun Lipscombe wrote: * Ben Laurie wrote: Peter 'Luna' Runestig wrote: On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote: Do you know if it's possible to use SSL (or some other protocol) over UDP running totally in user space. The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works great. No, it doesn't. It uses SSL do bootstrap UDP connections. It says in the book Web Security Commerce by Simson Garfinkel, Gene Spafford that SSL cannot use UDP. I read that bit just the other day :-) The question is a little vague. I don't know of anything that you can just plug in that does this (I'm not very knowledgeable on the subject though). If you mean can a system be built, then it can. You can arrange for order of arrival and guaranteed delivery above UDP and have basically rebuilt TCP on top of UDP. So in that respect, with some work anything that can work over TCP can work over UDP. It would be counter productive to do this though unless your main goal was to work around a system that wouldn't pass IP packets with the protocol set to TCP. If you want to work with UDPs lower overhead by accepting lost and out of order packets then you need to use an encryption method that doesn't alter its state based on the data flow (i.e. RC4 would be out). SSL (usually?) uses public key encryption to exchange a shared secret that's used in a symmetric algorithm for the remainder of the conversation. A straightforward method might be to establish a TCP connection for this key exchange, and then use a block cipher (blowfish perhaps) to encrypt individual UDP packets. Since each UDP packet would be encrypted individually a lost or out of order packet would not matter to the decryption process. I don't know how secure blowfish would be using the same key over and over, and certainly the more data you pass encrypted with the same key the easier it will become to analyze and break. If you're worried about it you can keep the TCP connection open and exchange new symmetric keys occassionally. If you look into the encryption used for wireless communication (I'm sure there's a couple RFCs on this) that system should adapt to UDP transmissions without much work. Use the newest standard, since the older one was fairly easy to break if I recall. Andrew __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Writing to a mem BIO instead of using SSL_Write
I'm trying (with no success) to detach SSL from a socket, and use it to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want to write the encrypted data to a mem BIO (or just a buffer) and send it by myself (and do the reverse operation on receive). I will do this just after the initial negotiation. All the information will be encrypted, I just need to do the send/recv by myself. I need to change an existing application to use SSL. I'll need to put the already encrypted buffer in a queue, to be sent by another thread. The encryption thread doesn't have control over the socket. How can I do this? You need to use BIO pairs. There is an example in the OpenSSL distribution, ssltest.c contains BIO pair code. One very important tip on using BIO pairs. You have *4* things to do: 1) When the application wants to send some data, you have to give the plaintext to the SSL engine. 2) When you receive encrypted data from the socket, you need to give it to the SSL engine. 3) When the SSL engine wants to send encrypted data, you have to send it over the socket. 4) When the SSL engine has plaintext that it has decrypted, you have to take it from the engine and process it. Do not try to simplify this into two things by combining the above. Think of them as four separate, unrelated things that all need to be done. Do not assume that receiving encrypted data from the socket will result in receiving unencrypted data from the SSL engine. It might or might not. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
EVP routines
Hi everybody. I'm developing an aplication in C++ which uses some OpenSSL crypto operations. Concretely, I need to offer support to cipher operations, that is, there is a method whis initializes an encrypt operation, an operation which encrypts an input data and which will be called multiple times to encrypt successive blocks of data and one operation to finalize a encrypt operation. My problem is that I'm not obtaining the results I could hope when I make succesive calls to the encypt / decrypt operations (EVP_EncryptUpdate / EVP_DecryptUpdate(), gives back not expected values suchs as 0 values ).The operation which initialize a cipher is like this: EVP_CIPHER_CTX * ctx = (EVP_CIPHER_CTX *)LocalAlloc(LMEM_ZEROINIT, sizeof(EVP_CIPHER_CTX)); EVP_CIPHER_CTX_init(ctx); EVP_CipherInit_ex(ctx, enc, NULL, NULL, NULL, 1); EVP_CIPHER_CTX_set_key_length(ctx, key_len); /* We finished modifying parameters so now we can set key and IV */ int result = EVP_CipherInit_ex(ctx, NULL, NULL, key,iv, 1);The function whick make a cipher by parts is: int result = EVP_CipherUpdate(ctx, pEncryptedPart, pulEncryptedPartLen, pPart, ulPartLen);where pEncryptedPart is a buffer whith the neccesary long (ulPartLen + cipher_block_size - 1).The function which finalizes the encrypt operation is: int result = EVP_CipherFinal_ex(ctx, pLastEncryptedPart,(int *)pulLastEncryptedPartLen); EVP_CIPHER_CTX_cleanup(ctx);What can be happening?. Thanks in advance--Antonio Andrés Espallardo ([EMAIL PROTECTED])Dept. Ingeniería de la Información y las ComunicacionesFacultad de InformáticaUniversidad de Murcia--
RE: Writing to a mem BIO instead of using SSL_Write
Try to find some source code for EAP-TTLS or EAP-PEAP, these use mem BIO and SSL. You can try to read some source code FreeRadius or Open.1X. Good luck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Schwartz Sent: Monday, January 17, 2005 11:56 AM To: openssl-users@openssl.org Subject: RE: Writing to a mem BIO instead of using SSL_Write I'm trying (with no success) to detach SSL from a socket, and use it to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want to write the encrypted data to a mem BIO (or just a buffer) and send it by myself (and do the reverse operation on receive). I will do this just after the initial negotiation. All the information will be encrypted, I just need to do the send/recv by myself. I need to change an existing application to use SSL. I'll need to put the already encrypted buffer in a queue, to be sent by another thread. The encryption thread doesn't have control over the socket. How can I do this? You need to use BIO pairs. There is an example in the OpenSSL distribution, ssltest.c contains BIO pair code. One very important tip on using BIO pairs. You have *4* things to do: 1) When the application wants to send some data, you have to give the plaintext to the SSL engine. 2) When you receive encrypted data from the socket, you need to give it to the SSL engine. 3) When the SSL engine wants to send encrypted data, you have to send it over the socket. 4) When the SSL engine has plaintext that it has decrypted, you have to take it from the engine and process it. Do not try to simplify this into two things by combining the above. Think of them as four separate, unrelated things that all need to be done. Do not assume that receiving encrypted data from the socket will result in receiving unencrypted data from the SSL engine. It might or might not. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Writing to a mem BIO instead of using SSL_Write
Henry Su wrote: Try to find some source code for EAP-TTLS or EAP-PEAP, these use mem BIO and SSL. You can try to read some source code FreeRadius or Open.1X. Good luck. Or mod_ssl in Apache 2. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]