Re: How to free SSL_METHOD structure
On Mon, Jun 21, 2010, jeff wrote: > Well that completely screwed up my plans. Am i glad i looked at this > thread before creating a disaster. > > So i was using SSL_METHOD struct to provide a custom implementation of > rsa_mod_exp. And this implementation needed to be provided on a per-need > basis. After your reply, I quickly ran a test and saw all my keys (RSA > structs) been carrying the same change. > > What's more disturbing is that I had thought that using "app_data" field > of the struct I could make the method context aware so it knows where it > was called from (and provide some thread safe mechanics in there). > > Is there any way to create unique instances of this struct to possibly > achieve some of the goals above? thanks > jeff > SSL_METHOD is the wrong place to put this kind of thing. You can develop an RSA_METHOD structure in an ENGINE and assign that to individual RSA structures when they are created. Then anything using that structure automatically ends up calling the custom routines in the RSA_METHOD. This is typically used for crypto accelerators and HSMs. Some of the standard ENGINEs under engines/ should give some pointers. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: questions about RSASSA-PSS
Dear Mounir IDRASSI, I am sorry for the wrong title in the last email. I read your code. I am not sure about the lower-level encoding method. For RSA_padding_add_PKCS1_PSS,what's the encoding method it use, RSASSA-PKCS1-V1_5 or RSASSA-PSS? I found a email chain in the archive, http://www.mail-archive.com/openssl-users@openssl.org/msg40229.html, which said that RSASSA-PSS is not supported in the openssl at that time. I really appreciate your help. Before referring your code, I would like to make sure the signature generation scheme. Thank you so much. Regards,Xiang From: luxiang...@hotmail.com To: openssl-users@openssl.org Subject: RE: questions about RSASSA-PSS Date: Tue, 22 Jun 2010 02:14:39 + Dear Cheers, Thank you for your help. I have downloaded your code. Thank you so much. Regards,Xiang > Date: Tue, 22 Jun 2010 03:46:51 +0200 > From: mounir.idra...@idrix.net > To: openssl-users@openssl.org > Subject: Re: questions about RSASSA-PSS > > Hi, > > The low-level functions RSA_padding_add_PKCS1_PSS and > RSA_verify_PKCS1_PSS will get the job done. > I have wrote last year a sample showing how they work. You can get it > here : http://www.idrix.fr/Root/Samples/openssl_pss_signature.c . > > For high-level function (maybe EVP interface), I will let other give > their hints. > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 6/22/2010 3:26 AM, 芦翔 wrote: > > Hi all, > > Could anybody please tell me the support status of RSASSA-PSS in openss l with the version after 0.9.8l. If there is the implementation, could you please tell me which functions I can call directly for my project purpose. Thank you so much. > > Regards,Xiang > > _ > > MSN十年回馈,每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码,快来领取! > > http://kaba.msn.com.cn/?k=1 > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org 聊天+搜索+邮箱 想要轻松出游,手机MSN帮你搞定! 立刻下载! _ 一张照片的自白――Windows Live照片的可爱视频介绍 http://windowslivesky.spaces.live.com/blog/cns!5892B6048E2498BD!889.entry
RE: questions about RSASSA-PSS
Dear Cheers, Thank you for your help. I have downloaded your code. Thank you so much. Regards,Xiang > Date: Tue, 22 Jun 2010 03:46:51 +0200 > From: mounir.idra...@idrix.net > To: openssl-users@openssl.org > Subject: Re: questions about RSASSA-PSS > > Hi, > > The low-level functions RSA_padding_add_PKCS1_PSS and > RSA_verify_PKCS1_PSS will get the job done. > I have wrote last year a sample showing how they work. You can get it > here : http://www.idrix.fr/Root/Samples/openssl_pss_signature.c . > > For high-level function (maybe EVP interface), I will let other give > their hints. > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 6/22/2010 3:26 AM, 芦翔 wrote: > > Hi all, > > Could anybody please tell me the support status of RSASSA-PSS in openssl > > with the version after 0.9.8l. If there is the implementation, could you > > please tell me which functions I can call directly for my project purpose. > > Thank you so much. > > Regards,Xiang > > _ > > MSN十年回馈,每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码,快来领取! > > http://kaba.msn.com.cn/?k=1 > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org _ SkyDrive电子画册,带你领略精彩照片,分享“美”时“美”刻! http://www.windowslive.cn/campaigns/e-magazine/ngmchina/?a=c
Openssl-dtls Client session sends hello in response to server hello.
Hi All, I am using openssl-0.9.8n with dtls-srtp extension. After upgrading to openssl version 0.9.8n I see a weird problem. This happens only once in a few hundred dtls handshakes. The dtls client sends client hello with 0 session id. The dtls server sends server hello with valid session id. Instead of responding to the server hello with ClientKeyExchange the client sends back a client hello message with 0 session id but some additional data (244 bytes) at the end of the packet. Here is the dump of the spurious client hello : <355 bytes> 16 fe ff 00 00 00 00 00 00 00 01 00 60 01 00 00 54 00 00 00 00 00 00 00 54 fe ff 4c 19 5e 5b e2 da 29 22 22 c8 b3 ad 81 e2 33 1f e5 ec a0 1c 73 b8 ee a0 0f 0c 74 c0 ae 02 00 da 00 00 00 24 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 ff 01 00 00 06 80 01 00 02 00 01 16 fe ff 00 00 00 00 00 00 00 02 00 8e 10 00 00 82 00 01 00 00 00 00 00 82 00 80 04 de 96 fd 46 62 1e 81 e8 41 30 ef 6d 73 34 f4 e5 cf 6e 50 3a a5 46 da ce d3 5b 32 2d af 5e 2b f5 8a d0 68 a2 76 89 b2 e7 fd 09 ef ae 3d f8 d4 01 bc 64 21 ec cd 0a 10 0f 02 22 de 22 f0 7b 65 d4 c3 03 f7 2c f9 36 29 a5 0c d8 2c 1f aa 71 76 ed aa e3 8c 05 e0 ac 87 4d 6e 74 b4 b9 88 61 c6 f1 58 88 ac a1 a4 e2 d7 76 4a ac 9b 98 e9 bd a6 53 7a ff 5e 57 ef c3 0e 44 bd fc a5 d5 ae 0e 1d 14 fe ff 00 00 00 00 00 00 00 03 00 01 01 16 fe ff 00 01 00 00 00 00 00 00 00 40 9e f2 5e 8b df 59 06 b1 a8 8b 98 ff aa 30 a2 37 83 c5 a3 52 a7 63 5a 35 ad 93 d5 00 5d c8 a7 e9 a3 cb 5b 5d 99 c0 29 bc 41 e7 73 3d ed 01 97 58 37 bb 05 7f 9e 36 45 67 92 7b 04 24 08 f4 f2 dc On receiving this client hello the server assumes that we are resuming an existing session and responds back with ServerHello with Finished message. Has anyone seen such a issue or know why this could happen with 0.9.8n. Any help is greatly appreciated. Regards, Nivedita
Re: questions about RSASSA-PSS
Hi, The low-level functions RSA_padding_add_PKCS1_PSS and RSA_verify_PKCS1_PSS will get the job done. I have wrote last year a sample showing how they work. You can get it here : http://www.idrix.fr/Root/Samples/openssl_pss_signature.c . For high-level function (maybe EVP interface), I will let other give their hints. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 6/22/2010 3:26 AM, 芦翔 wrote: > Hi all, > Could anybody please tell me the support status of RSASSA-PSS in openssl with > the version after 0.9.8l. If there is the implementation, could you please > tell me which functions I can call directly for my project purpose. Thank you > so much. > Regards,Xiang > _ > MSN十年回馈,每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码,快来领取! > http://kaba.msn.com.cn/?k=1 > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
questions about RSASSA-PSS
Hi all, Could anybody please tell me the support status of RSASSA-PSS in openssl with the version after 0.9.8l. If there is the implementation, could you please tell me which functions I can call directly for my project purpose. Thank you so much. Regards,Xiang _ MSN十年回馈,每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码,快来领取! http://kaba.msn.com.cn/?k=1
Re: How to free SSL_METHOD structure
Well that completely screwed up my plans. Am i glad i looked at this thread before creating a disaster. So i was using SSL_METHOD struct to provide a custom implementation of rsa_mod_exp. And this implementation needed to be provided on a per-need basis. After your reply, I quickly ran a test and saw all my keys (RSA structs) been carrying the same change. What's more disturbing is that I had thought that using "app_data" field of the struct I could make the method context aware so it knows where it was called from (and provide some thread safe mechanics in there). Is there any way to create unique instances of this struct to possibly achieve some of the goals above? thanks jeff > > There isn't one. It is a static structure. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. This email contains Morega Systems Inc. Privileged and Confidential information. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Additional checks on peer certificate
Hi, I want to do some additional checks on the peer certificate, like a hostname check. My first question is how should I get access to the peer certificate in the verify callback: The documentation for X509_STORE_CTX_get_current_cert(ctx); states that in case of no error this may return NULL so I guess I should not just call this one at depth 0, as the certificate does not need to be in an error state (although that seems to work). I guess using SSL_CTX_set_verify(ssl) is also a bad idea and should only be called after the verify (so not from the callback), although I did not test this. I now use X509_STORE_CTX_get_chain when at depth 0 and use the certificate at entry 0 in this stack. Is the correct way to get access to the peer certificate? My second question is on when to do this check in the callback. I now do it when at depth 0 and preverify_ok was 1. This used to work ok until I added an "accept an expired certificate" option in the callback (when a certain command line option is set). In case of the expired certificate (the initial preverify_ok is 0 in this case) I do the check and return 1. What I now see that after this return the callback now gets called another time for the same certificate but with preverify_ok is 1. So now the additional verification is done twice (still works but is not what I had in mind ;-). So now I guess that I should change the code to only do the additional check when the INITIAL preverify_ok was 1, is this correct? And it is intended behaviour that it works like this (calling the callback again for a certificate that was originally not ok but is made ok by the return code of the callback) so my changes won't break in a future version? Kind regards, Marcel Fransen
Re: How to free SSL_METHOD structure
On Mon, Jun 21, 2010, Arunkumar Manickam wrote: > Hi, > > What is the function to be called to free SSL_METHOD * created using > SSLv23_client_method or other similar methods. > There isn't one. It is a static structure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Auto Reply: How to free SSL_METHOD structure
I am on PTO from 6/21 - 6/25. I will get back to your questions and concerns when I am back. If this is an critical issue, please contact Rahul J oshi[rahul.x.jo...@oracle.com] for immediate assistance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to free SSL_METHOD structure
Hi, What is the function to be called to free SSL_METHOD * created using SSLv23_client_method or other similar methods. Thanks, Arun
Auto Reply: Re: How to attach source code in a debug build(Win32 Visual C++)?
I am on PTO from 6/21 - 6/25. I will get back to your questions and concerns when I am back. If this is an critical issue, please contact Rahul J oshi[rahul.x.jo...@oracle.com] for immediate assistance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to attach source code in a debug build(Win32 Visual C++)?
On 19-06-2010 01:49, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of William A. Rowe Jr. Sent: Friday, 18 June, 2010 00:59 On 6/17/2010 10:10 PM, Dave Thompson wrote: (MSVC++ build) 2. Even if you have symbols, I believe they use relative pathnames, and the IDE has to be told where to find them. In the old VS/VC++6 I have, this is in Tools / Options / Directories / SourceFiles . In newer versions it's probably different but should be similar. More to the point, sources are never embedded into the obj/dll/exe. They must be distributed/available alongside a binary distribution (not really a problem for open 'source' - heh). That latter part is true everywhere. Unix objects/executables with -g contain the linenumbers and name of the sourcefile(s), but not the actual source, and if you debug on a different system where the sourcefiles are not present, or on the same system but the sourcefiles have been deleted (or changed!) it won't work. If the sourcefiles are present but in a different location, some debuggers can be persuaded to find them. However, for MS* there is another difference to know about: the debug info goes in a separate PDB file -- e.g. libeay32.dll and libeay32.pdb -- and to debug you need BOTH, PLUS the source. (* since about 2000; you might find some *really* old progams that don't have separate PDB, but good luck using them.) The older formats/alternatives are: .DBG in place of (or in addition to) .PDB: Option with all pre-2000 MS Compilers, still understood by the free (as in beer) WinDbg/SD/KD debugger. Anything that is in .DBG could have been inside the .EXE/.DLL, but putting it in its own file saves disk space and memory when not debugging that process. In closed-source software it also allows shipping the .EXE/.DLL and keeping the .DBG in the support department. .TDS in place of .PDB: Option with Borland/Turbo compilers. Understood only by Borlands Turbo Debugger of the same version as the program was compiled with. Anything that is in .TDS could have been inside the .EXE/.DLL, but putting it in its own file saves disk space and memory when not debugging that process. .SYM in place of .PDB: Used by Microsoft tools with 16 bit executables and some non-Win32 EXE/DLL formats (VxDs and such). These were understood by Microsoft debuggers old enough to actually step through this code and by the SoftICE debugger. .NMS in addition to other file types: Used by some NuMega/Compuware debuggers, including SoftICE. Unlike other formats, .NMS files may actually contain the source code itself, to allow debugging with the file system and disk drivers stopped inside the debugger. Note that SoftICE is no longer available due to mismanagement. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org