Dynamic engine problems

2005-01-17 Thread Dmitry Belyavsky
Hello!

We are implementing custom engine providing GOST algorithms.
We get a SEGFAULT on app_shutdown.

We didn't find out what is wrong with our code. Engine code is attached.
We use 20050112 snapshot of 0.9.8 branch.

-- 
SY, Dmitry Belyavsky (ICQ UIN 6575)
#include string.h
#include openssl/err.h
#include openssl/evp.h
#include openssl/bn.h
#include openssl/engine.h
#include openssl/objects.h

static int NID_minimum_cipher_GOST = NID_undef;

#define OID_gost89 1.2.643.2.9.1.1.1
#define SN_gost89 gost89
#define LN_gost89 GOST 28147-89 symmetric cipher

int register_minimum_NID (void)
{
	NID_minimum_cipher_GOST = OBJ_create(OID_gost89, SN_gost89, LN_gost89);
	if (NID_minimum_cipher_GOST == NID_undef) {goto err;}
	return 1;
	
err:
	 NID_minimum_cipher_GOST = NID_undef;
	return 0;
}

/* Fake crypt functions */
int cce_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
		const unsigned char *iv, int enc){return 1;}

int	cce_cipher_do(EVP_CIPHER_CTX *ctx, unsigned char *out,
		const unsigned char *in, unsigned int inl){return 1;}

int cce_cipher_cleanup(EVP_CIPHER_CTX *ctx){return 1;}

#define minimum_LIB_NAME minimum GOST engine

static const char *engine_minimum_id = minimum;
static const char *engine_minimum_name = minimum GOST engine;

static int cce_destroy(ENGINE *e);
static int cce_init(ENGINE *e);
static int cce_finish(ENGINE *e);

/* Engine commands */
static const ENGINE_CMD_DEFN cce_cmd_defns[] = {
		{0, NULL, NULL, 0}
	};

/* Symetric cipher and digest function registrar */

static int cce_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
		 const int **nids, int nid);

static int cce_cipher_nids[]=
{NID_undef,0};

static EVP_CIPHER cipher_gost = 
	{
	  NID_undef,
	  1,/*block_size*/
	  32,/*key_size*/
	  8,
	  EVP_CIPH_CFB_MODE|EVP_CIPH_CUSTOM_IV|EVP_CIPH_NO_PADDING,
	  cce_cipher_init,
	  cce_cipher_do,
	  cce_cipher_cleanup,
	  0,/* ctx_size */
	  NULL,
	  NULL,
	  NULL,
	  NULL,
	};

static int cce_init(ENGINE *e) { 
	return 1;
}
static int cce_finish(ENGINE *e) { 
	return 1;
}

static int cce_destroy(ENGINE *e) { 
	ENGINE_unregister_ciphers(e);
	OBJ_cleanup();
	return 1;
}

static int bind_cce (ENGINE *e,const char *id) {
	if (id  strcmp(id, engine_minimum_id)) return 0;
	if (!ENGINE_set_id(e, engine_minimum_id)) {
		printf(ENGINE_set_id failed\n); 
		return 0;
	}	
	if (!ENGINE_set_name(e, engine_minimum_name)) {
		printf(ENGINE_set_name failed\n);
		return 0;
	}	
	if (!register_minimum_NID()) return 0;
	/*  set up NIDs */
	cipher_gost.nid = NID_minimum_cipher_GOST;
	/*  end set up NIDs */
if (! ENGINE_set_ciphers(e, cce_ciphers)) {
		printf(ENGINE_set_ciphers failed\n);
		return 0;
	}	
	if ( ! ENGINE_set_destroy_function(e, cce_destroy)
		|| ! ENGINE_set_init_function(e,cce_init)
		|| ! ENGINE_set_finish_function(e,cce_finish)) return 0;
	if ( ! ENGINE_register_ciphers(e)
		/* These two actually should go in LIST_ADD command */
		|| ! EVP_add_cipher(cipher_gost)
	   ) return 0;
	return 1;
}	

#ifdef _WIN32
extern __declspec( dllexport ) 
#endif
	
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
IMPLEMENT_DYNAMIC_BIND_FN(bind_cce);
IMPLEMENT_DYNAMIC_CHECK_FN();
#else
static ENGINE *engine_cce(void)
	{
	ENGINE *ret = ENGINE_new();
	if(!ret)
		return NULL;
	if(!bind_cce(ret, engine_minimum_id))
		{
		ENGINE_free(ret);
		return NULL;
		}
	return ret;
	}

void ENGINE_load_cce(void)
	{
	/* Copied from eng_[openssl|dyn].c */
	ENGINE *toadd = engine_cce();
	if(!toadd) return;
	ENGINE_add(toadd);
	ENGINE_free(toadd);
	ERR_clear_error();
	}
#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

static int cce_ciphers (ENGINE *e,const EVP_CIPHER **cipher,
		const int **nids, int nid) {
	int ok = 1;
	if (!cipher) {
		/* return list of supported nids */
		if (cce_cipher_nids[0] == NID_undef) {
			cce_cipher_nids[0] = NID_minimum_cipher_GOST;
		}
		*nids = cce_cipher_nids;
		return 1; /* Only one cipher supported */
	}

	if(nid == NID_minimum_cipher_GOST) {
			*cipher = cipher_gost;
	}
	return ok;
}	



Re: Dynamic engine problems

2005-01-17 Thread Richard Levitte - VMS Whacker
In message [EMAIL PROTECTED] on Mon, 17 Jan 2005 11:06:49 +0300 (MSK), Dmitry 
Belyavsky [EMAIL PROTECTED] said:

beldmit We are implementing custom engine providing GOST algorithms.
beldmit We get a SEGFAULT on app_shutdown.

That's because of the call to ENGINE_unregister_ciphers() in
cce_destroy().  Can I suggest you take a look at, for example,
demos/engines/rsaref/ for a working example to look at?

Cheers,
Richard

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/

When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up.
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Dynamic engine problems

2005-01-17 Thread Dmitry Belyavsky
Hello!

On Mon, 17 Jan 2005, Richard Levitte - VMS Whacker wrote:

 beldmit We are implementing custom engine providing GOST algorithms.
 beldmit We get a SEGFAULT on app_shutdown.

 That's because of the call to ENGINE_unregister_ciphers() in
 cce_destroy().  Can I suggest you take a look at, for example,
 demos/engines/rsaref/ for a working example to look at?

Thank you very much. Should we call ENGINE_unregister_ciphers any time
really? What are they for?

-- 
SY, Dmitry Belyavsky (ICQ UIN 6575)

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Dynamic engine problems

2005-01-17 Thread Richard Levitte - VMS Whacker
In message [EMAIL PROTECTED] on Mon, 17 Jan 2005 13:27:03 +0300 (MSK), Dmitry 
Belyavsky [EMAIL PROTECTED] said:

beldmit Thank you very much. Should we call ENGINE_unregister_ciphers
beldmit any time really? What are they for?

It's a function to be called from the application when wanting
fine-tuned control of the stuff that the engine module delivers.
However, it all you want to do is to clean up at the end,
ENGINE_cleanup() (which is called from app_shutdown()) is all you
need.

Cheers,
Richard

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/

When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up.
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Writing to a mem BIO instead of using SSL_Write

2005-01-17 Thread Rodrigo Strauss
Hi. 

I'm trying (with no success) to detach SSL from a socket, and use it
to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want
to write the encrypted data to a mem BIO (or just a buffer) and send
it by myself (and do the reverse operation on receive). I will do this
just after the initial negotiation.

All the information will be encrypted, I just need to do the send/recv
by myself. I need to change an existing application to use SSL. I'll
need to put the already encrypted buffer in a queue, to be sent by
another thread. The encryption thread doesn't have control over the
socket. How can I do this?

Thanks,

Strauss
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


using OpenSSL and NSS in same project

2005-01-17 Thread Aftab Alam
Hi All,

I am trying to use OpenSSL and NSS(Mozilla) toolkit in the same project.
When I try to compile the project 
It gives me an error 

error C2733: second C linkage of overloaded function 'SHA1_Update' not
allowed
c:\open.tar\openssl_debug_updated\openssl-0.9.7e\inc32\openssl\sha.h(116) :
see declaration of 'SHA1_Update'

same is the error for MD5_Update and MD2_Update.

Now I couldn't find some way to resolve this problem so I tried to rename
the functions MD5_Update, MD2_Update and SHA1_Update in the whole openSSL
source with
MD5_UpdateA, MD2_UpdateA and SHA1_UpdateA.
When I tried to build the dll then it gave me errors of some kind of
exporting symbols so I tried to build static debug for this and it worked
fine but the SHA1_Update still couldn't be resolved and is giving me the
following error

 link /nologo /subsystem:console /machine:I386 /opt:ref /debug /out:out32
.dbg\md2test.exe @E:\DOCUME~1\aftab\LOCALS~1\Temp\nma03100.
libeay32.lib(m_sha1.obj) : error LNK2001: unresolved external symbol
_SHA1_Updat
eA
out32.dbg\md2test.exe : fatal error LNK1120: 1 unresolved externals
NMAKE : fatal error U1077: 'link' : return code '0x460'

I want to know that is there any better way to resolve this issue, if I some
how get successful in doing it the way I am then what problem can it cause
afterwards.

Regards,
Muhammad Aftab 


smime.p7s
Description: S/MIME cryptographic signature


Re: SSL (or alike) over UDP

2005-01-17 Thread Ben Laurie
Peter 'Luna' Runestig wrote:
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
Do you know if it's possible to use SSL (or some other protocol) over
UDP running totally in user space.

The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works
great.
No, it doesn't. It uses SSL do bootstrap UDP connections.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: SSL (or alike) over UDP

2005-01-17 Thread Shaun Lipscombe
* Ben Laurie wrote:

 Peter 'Luna' Runestig wrote:
 On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
 
 Do you know if it's possible to use SSL (or some other protocol) over
 UDP running totally in user space.
 
 
 The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works
 great.
 
 No, it doesn't. It uses SSL do bootstrap UDP connections.

It says in the book Web Security  Commerce by Simson Garfinkel,
Gene Spafford that SSL cannot use UDP.

I read that bit just the other day :-)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: SSL (or alike) over UDP

2005-01-17 Thread Andrew Mann
Shaun Lipscombe wrote:
* Ben Laurie wrote:

Peter 'Luna' Runestig wrote:
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:

Do you know if it's possible to use SSL (or some other protocol) over
UDP running totally in user space.

The OpenVPN project http://openvpn.net/ runs OpenSSL over UDP, works
great.
No, it doesn't. It uses SSL do bootstrap UDP connections.

It says in the book Web Security  Commerce by Simson Garfinkel,
Gene Spafford that SSL cannot use UDP.
I read that bit just the other day :-)
  The question is a little vague.  I don't know of anything that you 
can just plug in that does this (I'm not very knowledgeable on the 
subject though).  If you mean can a system be built, then it can.
  You can arrange for order of arrival and guaranteed delivery above 
UDP and have basically rebuilt TCP  on top of UDP.  So in that respect, 
with some work anything that can work over TCP can work over UDP.  It 
would be counter productive to do this though unless your main goal was 
to work around a system that wouldn't pass IP packets with the protocol 
set to TCP.
  If you want to work with UDPs lower overhead by accepting lost and 
out of order packets then you need to use an encryption method that 
doesn't alter its state based on the data flow (i.e. RC4 would be out).
  SSL (usually?) uses public key encryption to exchange a shared secret 
that's used in a symmetric algorithm for the remainder of the 
conversation.  A straightforward method might be to establish a TCP 
connection for this key exchange, and then use a block cipher (blowfish 
perhaps) to encrypt individual UDP packets.  Since each UDP packet would 
be encrypted individually a lost or out of order packet would not matter 
to the decryption process.  I don't know how secure blowfish would be 
using the same key over and over, and certainly the more data you pass 
encrypted with the same key the easier it will become to analyze and 
break.  If you're worried about it you can keep the TCP connection open 
and exchange new symmetric keys occassionally.
  If you look into the encryption used for wireless communication (I'm 
sure there's a couple RFCs on this) that system should adapt to UDP 
transmissions without much work.  Use the newest standard, since the 
older one was fairly easy to break if I recall.

Andrew
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: Writing to a mem BIO instead of using SSL_Write

2005-01-17 Thread David Schwartz

 I'm trying (with no success) to detach SSL from a socket, and use it
 to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want
 to write the encrypted data to a mem BIO (or just a buffer) and send
 it by myself (and do the reverse operation on receive). I will do this
 just after the initial negotiation.

 All the information will be encrypted, I just need to do the send/recv
 by myself. I need to change an existing application to use SSL. I'll
 need to put the already encrypted buffer in a queue, to be sent by
 another thread. The encryption thread doesn't have control over the
 socket. How can I do this?

You need to use BIO pairs. There is an example in the OpenSSL 
distribution,
ssltest.c contains BIO pair code.

One very important tip on using BIO pairs. You have *4* things to do:

1) When the application wants to send some data, you have to give the
plaintext to the SSL engine.

2) When you receive encrypted data from the socket, you need to give it 
to
the SSL engine.

3) When the SSL engine wants to send encrypted data, you have to send it
over the socket.

4) When the SSL engine has plaintext that it has decrypted, you have to
take it from the engine and process it.

Do not try to simplify this into two things by combining the above. 
Think
of them as four separate, unrelated things that all need to be done. Do not
assume that receiving encrypted data from the socket will result in
receiving unencrypted data from the SSL engine. It might or might not.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


EVP routines

2005-01-17 Thread Antonio Andrés Espallardo



Hi everybody. 
I'm developing an aplication in C++ which uses some OpenSSL crypto operations. 
Concretely, I need to offer support to cipher operations, that is, there is a 
method whis initializes an encrypt operation, an operation which encrypts an 
input data and which will be called multiple times to encrypt successive blocks 
of data and one operation to finalize a encrypt operation. My problem is that 
I'm not obtaining the results I could hope when I make succesive calls to the 
encypt / decrypt operations (EVP_EncryptUpdate / EVP_DecryptUpdate(), gives back 
not expected values suchs as 0 values ).The operation which 
initialize a cipher is like this: EVP_CIPHER_CTX * 
ctx = (EVP_CIPHER_CTX *)LocalAlloc(LMEM_ZEROINIT, 
sizeof(EVP_CIPHER_CTX)); 
EVP_CIPHER_CTX_init(ctx); EVP_CipherInit_ex(ctx, enc, 
NULL, NULL, NULL, 1); 
EVP_CIPHER_CTX_set_key_length(ctx, key_len); /* We 
finished modifying parameters so now we can set key and IV 
*/ int result = EVP_CipherInit_ex(ctx, NULL, NULL, 
key,iv, 1);The function whick make a cipher by parts 
is: int result = EVP_CipherUpdate(ctx, 
pEncryptedPart, pulEncryptedPartLen, pPart, ulPartLen);where 
pEncryptedPart is a buffer whith the neccesary long (ulPartLen + 
cipher_block_size - 1).The function which finalizes the encrypt 
operation is: int result = EVP_CipherFinal_ex(ctx, 
pLastEncryptedPart,(int 
*)pulLastEncryptedPartLen); 
EVP_CIPHER_CTX_cleanup(ctx);What can be happening?. Thanks in 
advance--Antonio 
Andrés Espallardo ([EMAIL PROTECTED])Dept. Ingeniería de la Información y las ComunicacionesFacultad 
de InformáticaUniversidad de 
Murcia-- 



RE: Writing to a mem BIO instead of using SSL_Write

2005-01-17 Thread Henry Su
Try to find some source code for EAP-TTLS or EAP-PEAP, these use mem BIO and
SSL. You can try to read some source code FreeRadius or Open.1X. Good luck.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David Schwartz
Sent: Monday, January 17, 2005 11:56 AM
To: openssl-users@openssl.org
Subject: RE: Writing to a mem BIO instead of using SSL_Write



 I'm trying (with no success) to detach SSL from a socket, and use it
 to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want
 to write the encrypted data to a mem BIO (or just a buffer) and send
 it by myself (and do the reverse operation on receive). I will do this
 just after the initial negotiation.

 All the information will be encrypted, I just need to do the send/recv
 by myself. I need to change an existing application to use SSL. I'll
 need to put the already encrypted buffer in a queue, to be sent by
 another thread. The encryption thread doesn't have control over the
 socket. How can I do this?

You need to use BIO pairs. There is an example in the OpenSSL 
distribution,
ssltest.c contains BIO pair code.

One very important tip on using BIO pairs. You have *4* things to do:

1) When the application wants to send some data, you have to give the
plaintext to the SSL engine.

2) When you receive encrypted data from the socket, you need to give it 
to
the SSL engine.

3) When the SSL engine wants to send encrypted data, you have to send it
over the socket.

4) When the SSL engine has plaintext that it has decrypted, you have to
take it from the engine and process it.

Do not try to simplify this into two things by combining the above. 
Think
of them as four separate, unrelated things that all need to be done. Do not
assume that receiving encrypted data from the socket will result in
receiving unencrypted data from the SSL engine. It might or might not.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Writing to a mem BIO instead of using SSL_Write

2005-01-17 Thread Ben Laurie
Henry Su wrote:
Try to find some source code for EAP-TTLS or EAP-PEAP, these use mem BIO and
SSL. You can try to read some source code FreeRadius or Open.1X. Good luck.
Or mod_ssl in Apache 2.
--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/
There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]