Re: unsealing EVP_Seal... from command-line

2006-10-13 Thread Victor B. Wagner 
On 2006.10.12 at 18:44:20 -0400, William Triplett wrote:

 Dear openssl-users,
 
 Suppose that I have the Sealed Data, Envelope, and proper Private Key  
 for some data encrypted with EVP_Seal* using RC4 (basically, PHP's  
 openssl_seal() function). Is there a way to decrypt it using the  
 command-line openssl tools?

I think that you should look to openssl smime command.

EVP_Seal* is public key encryption which generate random session
key, encrypts it with private key and envelopes into some ASN1
structure.

try 

openssl smime -decrypt -in envelope -inform PEM -content sealed

You might have to add proper PEM header and footer to envelope.
Or decode base64 separately and use DER format.

You also have to base64 decode sealed data before feeding to decryption
routine.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

sslv3 alert handshake failure

2006-10-13 Thread IT Professional 
I've generated ECC cert using openssl and was testing with the command:openssl s_client -connect localhost:443.Error was encountered:2028:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:562:  Anyone has a idea what the error could mean?I can't be sure whether it's a server or a ECC cert issue?All advice would be appreciated.  Thanks in advance! 
		 
What is the internet to you? 
Contribute to the Yahoo! Time Capsule and be a part of internet history.

RE: How to share SSL session when using CreateProcess/execv

2006-10-13 Thread Mark 
David, 

  Agreed.  If any object in shared memory contained a pointer to
another
  object in shared memory this could cause a problem.  You would have
to
  ensure that the shared memory was mapped to the same address in all
  processes otherwise the pointers would not be valid.
 Since he's talking about a process that forks, there 
 shouldn't be a problem.
 He just needs to create a shared mapping in the parent. After 
 the 'fork', the address will still be the same.

However if the program forks and calls exec* then this issue could
arise.  The title of the thread suggests this ;-)

Cheers,
Mark
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Don Dhondt/US/BULL is out of the office.

2006-10-13 Thread Don . Dhondt 

I will be out of the office starting  10/13/2006 and will not return until
10/23/2006.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to share SSL session when using CreateProcess/execv

2006-10-13 Thread urjit_gokhale 
 Since he's talking about a process that forks, there 
 shouldn't be a problem.
 He just needs to create a shared mapping in the parent. After 
 the 'fork', the address will still be the same.

However if the program forks and calls exec* then this issue could
arise.  The title of the thread suggests this ;-)

Cheers,
Mark

Yeh, you are quite right Mark as when this thread started, I was considering 
fork()/exec() scenario. Later the discussion over several other approaches to 
the problem were discussed and an attempt to solve the problem by getting rid 
of exec() was under consideration.

As far as the application that I am working on is concerned, it already has a 
mechanism in place to map the shared memory at exactly the same address in all 
the related processes. So no issue withe the address there.

Of course, it will be great to have a feature in OpenSSL implementation iteslf 
that will enable SSL session handover / or even session sharing between 
multiple related processes. But I am not quite sure if this would involve any 
security hazards like session hijacking, that would in fact defete the purpose 
of SSL (which is to provide security).

~ Urjit

DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Pvt. Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Pvt. Ltd. does not accept any liability for virus infected mails.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How to share SSL session when using CreateProcess/execv

2006-10-13 Thread Kyle Hamilton 

The point of SSL is to provide (possibly) data integrity (detection of
tampering and validation of the source of the data) and secrecy
services /on the wire/.  The endpoints have always been known to be
points of concern as they must maintain the keys, both private and
symmetric, in their memory space somewhere.

Putting these keys in shared memory arguably reduces overall security,
by bypassing the OS's normal mechanisms of process memory isolation.
This should certainly be an implementation concern, because if your
webserver gets compromised through a buffer overflow, integer
misreflection (overflow or fencepost errors on arrays for example), or
any other remote code execution vulnerability, then the shared memory
is readable.  In practice, this doesn't matter all that much because
it's very likely that the process that's compromised is running in the
same context as the key manager anyway.

The way OpenSSL works, unless it has an ENGINE doing its encryption
work for it, the keys are in accessible memory.  (Unless the ENGINE is
a tamper-resistant/detectant piece of hardware, they keys are going to
be in accessible memory again/as well.)

Also, OpenSSL's memory space is vulnerable to a debugger.  This has
also always been the case.

These are issues that are common to all software SSL/TLS
implementations.  Without adequate OS security, putting encrypted data
on the wire is like putting a deadbolt with an integrated alarm on a
pressboard door, and leaving the windows open.

These are some of the issues that need to be taken into consideration
when deciding whether to allow SSL/TLS connections to be passed back
and forth, not merely allowing SSL/TLS sessions to be resumed (which
implies keeping the session state for some period of time).  Since
UNIX domain sockets can pass file descriptors back and forth, the
ability to pass SSL and SSL_CTX objects back and forth as well might
be useful... but it's not important enough to me for me to code it. :)

-Kyle H

On 10/13/06, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:

 Since he's talking about a process that forks, there
 shouldn't be a problem.
 He just needs to create a shared mapping in the parent. After
 the 'fork', the address will still be the same.

However if the program forks and calls exec* then this issue could
arise.  The title of the thread suggests this ;-)

Cheers,
Mark

Yeh, you are quite right Mark as when this thread started, I was considering
fork()/exec() scenario. Later the discussion over several other approaches
to the problem were discussed and an attempt to solve the problem by getting
rid of exec() was under consideration.

As far as the application that I am working on is concerned, it already has
a mechanism in place to map the shared memory at exactly the same address in
all the related processes. So no issue withe the address there.

Of course, it will be great to have a feature in OpenSSL implementation
iteslf that will enable SSL session handover / or even session sharing
between multiple related processes. But I am not quite sure if this would
involve any security hazards like session hijacking, that would in fact
defete the purpose of SSL (which is to provide security).

~ Urjit

DISCLAIMER
==
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Pvt. Ltd. It is intended only for the use of
the individual or entity to which it is addressed. If you are not the
intended recipient, you are not authorized to read, retain, copy, print,
distribute or use this message. If you have received this communication in
error, please notify the sender and delete all copies of this message.
Persistent Systems Pvt. Ltd. does not accept any liability for virus
infected mails.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]




--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Source for entropy on Windows platforms with CryptoAPI installed

2006-10-13 Thread Kyle Hamilton 

It just occurred to me that the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed (type
REG_BINARY) contains the latest seeded value from everything that
CryptoAPI takes into account when generating its random seed.
CryptoAPI permutes it with RC4 to come up with a pseudo-random stream,
but I wonder if it might make sense to try to make use of it the same
way OpenSSL on UNIX uses /dev/urandom?

Just a thought.

--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to share SSL session when using CreateProcess/execv

2006-10-13 Thread David Schwartz 

 Of course, it will be great to have a feature in OpenSSL
 implementation iteslf that will enable SSL session handover / or
 even session sharing between multiple related processes.

Session sharing is pretty hard to do. Handover is not quite as hard. I think
that would be a really great feature.

The trick is to create code to serialize (into BER, I would imagine) all of
the SSL session state information into a form that is independent of any
other structures. On the flip side, you need to create the session object
from the BER data and then create session-private copies of any associated
structures needed to support the session (and get rid of them when you're
done with the session or hand it off).

If you standardize the format, it should be possible to hand a session off
even across different versions of OpenSSL and, eventually, across different
SSL implementations. (Does anyone know if there is such a standard already?)

 But I am
 not quite sure if this would involve any security hazards like
 session hijacking, that would in fact defete the purpose of SSL
 (which is to provide security).

SSL is only secure if the endpoints are secure. SSL secures the transport
and ensures you got the endpoint you intended.

However, there are some security issues that do need to be addressed. For
example, to support renegotiation, you have to hand off the private key
along with the session (I think). That could present some security issues in
that anyone who ever gets a session would have to be trusted with the
private key.

Another possible issue might be that it would be difficult to get session
handoff to work properly with session caching. In that case, the loss of
session caching could make a DoS attack possible or easier.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

i have a question ragarding self-signed certificate

2006-10-13 Thread Chong Peng 
guys:

we all know that a ca-signed certificate can provide authentication because the 
ca is trustable, by using ca-signed certificate, one is saying i am somebady 
because the ca says so. but it seems that a self-signed certificate _cannot_ 
provide any authentication at all, because by using self-signed certificate, 
one is saying i am somebody because i say so. 

if my understanding is correct, then why self-signed certificate is still used?

thanks.

chong peng
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: i have a question ragarding self-signed certificate

2006-10-13 Thread Max Pritikin 


Recall that even the 'ca' certificate is ultimately self-signed. So  
your question is really about why some self-signed certificates are  
more trusted than others.


In some fashion you could ask this question about any typical 'brand  
name' store. Why is Store-X trusted more than Store-Y? Simply because  
more people (or at least the person in question) has more experience  
with Store-X. Similarly for any particular self-signed CA cert,  
although we replace experience here with 'it is already in my  
certificate store', it is more trusted if the client knows about it  
already.


Now what if Store-Y isn't a chain store. Instead it is a little local  
boutique? Perhaps there isn't a need/expectation that a brand name  
and national marketing campaign is required; but they'd still like  
people to recognize their letterhead. So a logo and a local 'brand'  
is all that is required.


Similarly if all I want is for people to recognize my self-signed  
certificate I don't really need a CA, a pki hierarchy and all that.  
One self signed certificate should be enough...


If I've made things confusing with my metaphor you could also just  
think about the model for ssh... it is often valuable just to be able  
to know you're communicating with the same person you communicated  
with last time.


- max

On Oct 13, 2006, at 5:02 PM, Chong Peng wrote:


guys:

we all know that a ca-signed certificate can provide authentication  
because the ca is trustable, by using ca-signed certificate, one is  
saying i am somebady because the ca says so. but it seems that a  
self-signed certificate _cannot_ provide any authentication at all,  
because by using self-signed certificate, one is saying i am  
somebody because i say so.


if my understanding is correct, then why self-signed certificate is  
still used?


thanks.

chong peng
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Either a bug or a misunderstanding or Spyders in the code

2006-10-13 Thread Eric S. Eberhard 
I am trying to do encryption using the evp APIs.  For testing I am 
using AES-128-ECB as the cypher.  I have no problem encrypting and 
decrypting, rather I am having problems with the sizes of the buffers.


My program is largely the same as evp_test.c function test1 with 
the release /openssl-0.9.8c/test, however this program does not 
handle the padding -- all the test cases have even block-count bytes 
and the padding is turned off.  I removed the call to turn off the 
padding in my program.  My program is also like a sample program I 
found on-line which handles the padding the same as I 
do:  http://tldp.org/LDP/LG/issue87/vinayak.html


When encrypting a string of 37 bytes and passing as such:

if (!EVP_EncryptUpdate(ctx,out,outl,plaintext,37)) {

outl becomes 48 at this point (which is the expected size since this 
alogrithm appears to block at 16 bytes).  However, the next call as such:


if (!EVP_EncryptFinal(ctx,out+outl,outl2)) {

this sets outl2 to 16 ... meaning it padded one more additional block.

If I send decrypt 64 bytes it gives the desired answer (e.g. my text 
is what I expect it to be).  This is what I send:


  if (!EVP_DecryptUpdate(ctx,out,outl,ciphertext,64)) {

outl is set to 48 (I would really like it to be 37 ...)

  if (!EVP_DecryptFinal(ctx,out+outl,outl2)) {

outl2 is set to zero ...

It would seem that the first encrypt SHOULD set 32, the final encrypt 
should set 16 and the final result should then be 48 bytes.


It would also seem that the first decrypt should set 32, the final 
decrypt should set 5, and the final result should be 37 bytes.


At a bare minimum, it would seem that the total from the two 
encrypt statements should be 48 and the total from the two decrypt 
statement should be 37 or 48, depending on your taste, but I find 37 
more useful.  Last, I should not have to store 64 bytes of encrypted 
data to successfully encrypt and decrypt 37 bytes of data.


I have noticed that if I simply don't do the final calls for both 
encrypt and decrypt that everything appears to work on the encrypt 
and I save 48 bytes ... but when I decrypt it  I only get back 32 
bytes.  And if I do a final decrypt on data that did not have a final 
encrypt I get an error.


I suspect I am missing something because using openssl to encrypt the 
bytes from a file and in to a file yields a 64 byte file ... just 
like my program :-) But I don't understand why.


1) Should I always count on up to 2 extra blocks (1 for the remainder 
if any, one for no reason I can tell)?
2) When decrypting, is there a way to find out the original size (in 
my case 37)?

3) Am I missing something or is there a bug around here?
4) If I am going to handle large files that require multiple calls to 
the Encrypt routines, I presume I would turn the padding off until 
the very last block of data?  Same with decrypt?  My goal would be to 
be able to encrypt a file and get the exact same results as command 
line openssl.  And the reverse.


Thanks,

Eric



























This email sent by:

Eric S. Eberhard
(928) 567-3727  Voice
(928) 567-6122  Fax

928-301-7537 -- you may call any time day or night, I turn it off 
when I sleep :-)  Please try to use a land line first (reception often poor).


Note the change in the domain from vicspdi.com to vicsmba.com 

For Metropolis support and VICS MBA Support

http://www.vicsmba.com

Completely updated web site of personal pictures with many new 
pictures!  Includes horses, dogs, Corvairs, and more.


http://www.vicsmba.com/ourpics/index.html

Corvair pictures including the Judson setup on our 62 Sedan and lots 
of pictures of Cheryl's 62 Monza Wagon and our 62 Spyder convertible.


http://www.vicsmba.com/ourpics/corvairs.html

My younger brother Martin has started a very serious car company.  A 
hot rod (very fast) electric roadster is the first offering.  The 
chassis is built by Lotus to their specs.  Check it 
out:  http://www.teslamotors.com



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Either a bug or a misunderstanding or Spyders in the code

2006-10-13 Thread Kyle Hamilton 

OpenSSL does not store the plaintext size in block protocol usage.
That's an application-layer issue.

ECB mode, by the way, is REALLY discouraged.

Padding doesn't come into play until the second-to-last and last
blocks.  You should get 16*(3 blocks of data +1 block for the
EncryptFinal()) == 64 bytes.

If you're writing less than a multiple of the block size, you should
call EncryptFinal() on that write, not follow it up.  This is arguably
a bug in the block logic (the expected behavior you seem to want would
be: you should get 32 bytes from the write of 37 bytes, with the final
5 bytes stored in a buffer until you call EncryptFinal, which would
pad to the appropriate block length and then finish the encryption),
but I'm not certain it should be changed -- SSL and TLS have a need
for an application data flush feature that forces data to be flushed
without the encryption state being reset.

Every EncryptFinal() ciphertext block that you get from it, though, is
going to be the same (at least in ECB mode).  Personally, I regard the
fact that OpenSSL supports ECB mode without a Configure option (or at
least a warning when it's used) a bug.

So, to answer your questions in order:

1) The second-to-last block is not an extra block.  It contains
application data.  I believe that you can expect to get that last
block.

2) No.

3) I think you're missing something.

4) Padding doesn't happen until a short block occurs anyway, so
turning padding off until the final block won't change anything.  Look
at the source code to the command-line utility to see what it does, if
you want to get identical results.

Cheers,

-Kyle H

On 10/13/06, Eric S. Eberhard [EMAIL PROTECTED] wrote:

I am trying to do encryption using the evp APIs.  For testing I am
using AES-128-ECB as the cypher.  I have no problem encrypting and
decrypting, rather I am having problems with the sizes of the buffers.

When encrypting a string of 37 bytes and passing as such:

 if (!EVP_EncryptUpdate(ctx,out,outl,plaintext,37)) {

outl becomes 48 at this point (which is the expected size since this
alogrithm appears to block at 16 bytes).  However, the next call as such:

 if (!EVP_EncryptFinal(ctx,out+outl,outl2)) {

this sets outl2 to 16 ... meaning it padded one more additional block.

If I send decrypt 64 bytes it gives the desired answer (e.g. my text
is what I expect it to be).  This is what I send:

   if (!EVP_DecryptUpdate(ctx,out,outl,ciphertext,64)) {

outl is set to 48 (I would really like it to be 37 ...)

   if (!EVP_DecryptFinal(ctx,out+outl,outl2)) {


[...]



1) Should I always count on up to 2 extra blocks (1 for the remainder
if any, one for no reason I can tell)?
2) When decrypting, is there a way to find out the original size (in
my case 37)?
3) Am I missing something or is there a bug around here?
4) If I am going to handle large files that require multiple calls to
the Encrypt routines, I presume I would turn the padding off until
the very last block of data?  Same with decrypt?  My goal would be to
be able to encrypt a file and get the exact same results as command
line openssl.  And the reverse.

Thanks,

Eric

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Either a bug or a misunderstanding or Spyders in the code

2006-10-13 Thread Eric S. Eberhard 

Kyle,

Thank you ... I thought I was missing something (actually the 
behavior told me what you told me, I just wanted to confirm it was 
correct).  I won't actually use ECB, it was randomly selected from 
the test file ...


A follow-up then ... if I have 37 bytes I would call Update twice and 
Final once?  If I have 32 bytes I would call Update once and Final 
once?  Or two Updates?


Is there a call to get the block size, or is that always 16? (I know 
it is in the ctx but I was hoping to get it sooner than that).


Thank you again!

Eric


At 06:27 PM 10/13/2006, you wrote:

OpenSSL does not store the plaintext size in block protocol usage.
That's an application-layer issue.

ECB mode, by the way, is REALLY discouraged.

Padding doesn't come into play until the second-to-last and last
blocks.  You should get 16*(3 blocks of data +1 block for the
EncryptFinal()) == 64 bytes.

If you're writing less than a multiple of the block size, you should
call EncryptFinal() on that write, not follow it up.  This is arguably
a bug in the block logic (the expected behavior you seem to want would
be: you should get 32 bytes from the write of 37 bytes, with the final
5 bytes stored in a buffer until you call EncryptFinal, which would
pad to the appropriate block length and then finish the encryption),
but I'm not certain it should be changed -- SSL and TLS have a need
for an application data flush feature that forces data to be flushed
without the encryption state being reset.

Every EncryptFinal() ciphertext block that you get from it, though, is
going to be the same (at least in ECB mode).  Personally, I regard the
fact that OpenSSL supports ECB mode without a Configure option (or at
least a warning when it's used) a bug.

So, to answer your questions in order:

1) The second-to-last block is not an extra block.  It contains
application data.  I believe that you can expect to get that last
block.

2) No.

3) I think you're missing something.

4) Padding doesn't happen until a short block occurs anyway, so
turning padding off until the final block won't change anything.  Look
at the source code to the command-line utility to see what it does, if
you want to get identical results.

Cheers,

-Kyle H

On 10/13/06, Eric S. Eberhard [EMAIL PROTECTED] wrote:

I am trying to do encryption using the evp APIs.  For testing I am
using AES-128-ECB as the cypher.  I have no problem encrypting and
decrypting, rather I am having problems with the sizes of the buffers.

When encrypting a string of 37 bytes and passing as such:

 if (!EVP_EncryptUpdate(ctx,out,outl,plaintext,37)) {

outl becomes 48 at this point (which is the expected size since this
alogrithm appears to block at 16 bytes).  However, the next call as such:

 if (!EVP_EncryptFinal(ctx,out+outl,outl2)) {

this sets outl2 to 16 ... meaning it padded one more additional block.

If I send decrypt 64 bytes it gives the desired answer (e.g. my text
is what I expect it to be).  This is what I send:

   if (!EVP_DecryptUpdate(ctx,out,outl,ciphertext,64)) {

outl is set to 48 (I would really like it to be 37 ...)

   if (!EVP_DecryptFinal(ctx,out+outl,outl2)) {


[...]



1) Should I always count on up to 2 extra blocks (1 for the remainder
if any, one for no reason I can tell)?
2) When decrypting, is there a way to find out the original size (in
my case 37)?
3) Am I missing something or is there a bug around here?
4) If I am going to handle large files that require multiple calls to
the Encrypt routines, I presume I would turn the padding off until
the very last block of data?  Same with decrypt?  My goal would be to
be able to encrypt a file and get the exact same results as command
line openssl.  And the reverse.

Thanks,

Eric

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]




This email sent by:

Eric S. Eberhard
(928) 567-3727  Voice
(928) 567-6122  Fax

928-301-7537 -- you may call any time day or night, I turn it off 
when I sleep :-)  Please try to use a land line first (reception often poor).


Note the change in the domain from vicspdi.com to vicsmba.com 

For Metropolis support and VICS MBA Support

http://www.vicsmba.com

Completely updated web site of personal pictures with many new 
pictures!  Includes horses, dogs, Corvairs, and more.


http://www.vicsmba.com/ourpics/index.html

Corvair pictures including the Judson setup on our 62 Sedan and lots 
of pictures of Cheryl's 62 Monza Wagon and our 62 Spyder convertible.


http://www.vicsmba.com/ourpics/corvairs.html

My younger brother Martin has started a very serious car company.  A 
hot rod (very fast) electric roadster is the first offering.  The 
chassis is built by Lotus to their specs.  Check it 
out:  http://www.teslamotors.com