Forthcoming OpenSSL releases

2014-08-03 Thread OpenSSL 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Forthcoming OpenSSL releases


The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.1i, 1.0.0n and 0.9.8zb.

These releases will be made available on 6th August at some time after
20.30 UTC. They will fix a number of security defects. Since these
security defects are considered as moderate severity or less no further
details or patches will be made available in advance of the release to
any parties.

Yours

The OpenSSL Project Team

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJT3fG+AAoJENnE0m0OYESRWFYH/iwM7iIQd+LIJsQSwcMvoCWv
JyhpJaQMZADYLkvc7uxP0y+mgqh2wg+2PwvNkW+gTPmjRefgYTygs69XT32iCBcw
fwCHfy+lYI1iNx/m+e5VxukXf81hGdULlVlb66PxsOm4iS1I/0IHSYyV90KXxMKL
gH/1/mJGVAYz7w88FqoCmQBdbJHLGgvBAaYgowsv9i5UcsU4VGcZnmydcX9XHDgQ
svRnDG/WjqSZvKBkgeKDdLcGUOeyqhG2mkLgZuVG12DVrG1fhJ2nyBg7Jic/4ZW7
IcxXWr2iwqoK/uT7SljMJgixWzS7vDX6Imd8zI9600c/iGwLRv5Bs3cqLrr+2G0=
=90J2
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Question on EVP_DecryptFinal_ex

2014-08-03 Thread David Li 
Hi Thulasi/Rich,

Thanks! This prompted me to uncover another bug in the code. I did encrypt
an extra block of zeros! Now everything makes sense.

Can't help to dig a little deeper into this: In AES-CBC mode, the
decryption can be paralleled. Is this what the EVP_DecryptUpdate is doing
behind the scene?

For example, I need to break a long string into blocks to use
EVP_EncryptUpdate but I only need to feed the ciphertext into
EVP_DecryptUpdate once.

David


On Fri, Aug 1, 2014 at 8:36 PM, Salz, Rich rs...@akamai.com wrote:

 Just wanted to say that Thulasi’s explanations and advice are exactly
 correct; thanks!



 --

 Principal Security Engineer

 Akamai Technologies, Cambridge MA

 IM: rs...@jabber.me Twitter: RichSalz

RE: Query on X509 certificate validation- EVP_VerifyUpdate EVP_VerifyFinal

2014-08-03 Thread Mitra, Rituparna (STSD) 
Hi,

Thanks for the response.

The problem I am seeing is not with the DN. From what I understand, the 
distinguished name can be any one of the fields – CN, issuer, subject, that 
comes as part of the x509 certificate contents. None of these contain the ! 
character.

Let me clarify the issue a little more.

This is a SSO (single sign on) scenario from ‘app1’ -- ‘app2’ (our application 
is ‘app2’ while ‘app1’ is an external application not in our control)



1.   app1: sends a CGI POST request to app2 – the POST request has the UN 
(username).

2.   app2: does a CGI GET to receive the UN within app1’s POST request.

3.   app2: has app1’s x509 certificate already stored, since it has to 
allow SSO from app1 – gets verification ctx from here.

4.   app2: uses the UN (containing ! character) to form a hashdata,

5.   app2: passes hashdata to EVP_VerifyUpdate(ctx, .. )

6.   app2: calls EVP_VerifyFinal -- this eventually fails during public key 
check (EVP_PKEY_verify), due to the ! character in UN

As you see, in app2, we are not having any control over the character string 
type of the UN.

Is there a way to fix ‘app2’ to make EVP_VerifyFinal pass ? We can’t make 
changes to ‘app1’ as the application is not owned by us.
Is there any other solution you would suggest?


Thanks,
Rituparna Mitra




From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Salz, Rich
Sent: Friday, August 01, 2014 7:33 PM
To: openssl-users@openssl.org
Subject: RE: Query on X509 certificate validation- EVP_VerifyUpdate  
EVP_VerifyFinal

You have to look at the character string type of the DN.  For example, in 
printableString the exclamation point is an illegal character.

--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz


From: Mitra, Rituparna (STSD)
Sent: Friday, August 01, 2014 7:21 PM
To: openssl-users@openssl.org
Subject: Query on X509 certificate validation- EVP_VerifyUpdate  
EVP_VerifyFinal

Hi,

I am using “openssl-1.0.1h” to do X509 certificate validation for accessing 
from app1 to app2 (these are 2 separate applications).


-  In app2, I have uploaded the X509 certificate generated by app1 and 
I am using the following code segment in app2 to verify the certificate (when 
app1 tries to login to app2).

-  This code works fine for all user names, except usernames containing 
a ! symbol (exclamation).

 EVP_MD_CTX_init(ctx);
 EVP_VerifyInit(ctx, md);
 EVP_VerifyUpdate(ctx, hashdata, strlen(hashdata));
 err = EVP_VerifyFinal(ctx, x509_sig, sigsize, pkey);

 where pkey = public key retrieved from the certificate.
   hashdata is a string calculated using the username as 
follows:  system_name:domain\username: 


-  EVP_VerifyFinal()  returns success with username test.

-  But using !test fails at EVP_VerifyFinal() which returns an error 
value -- err = 0 (67702888)


Here ! seems to be the problem character since nothing else is different b/w 
the 2 cases. I am curious to know the following:


a)  Do X509 certificates treat ! character differently?

b)  Is there a way to handle usernames with a ! correctly, so that 
certificate check passes?

c)   Since hashdata is passed to EVP_VerifyUpdate(), do I need to take care 
of anything while forming “hashdata” with the username?

Any response would be greatly appreciated.

Thanks and regards,
Rituparna Mitra