[openssl-users] NID_Name equivalent in a certificate

[Mailer Mailer]

Hi,

Can some one let me know what is the equivalent field in a certifcate that
maps to NID_Name?

Thank you,
Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SHA256() to EVP_* ?

[Dave Thompson]

> From: openssl-users On Behalf Of jonetsu
> Sent: Tuesday, April 28, 2015 13:53

> What would be the equivalent of the SHA256() function in the EVP
> class of methods ?  EVP_sha256() could be it, although from the
> short description in manual page it does not seemingly fit in,
> returning a EVP_MD which is, if not mistaken, a env_md_st
> structure.
> 
The LOWLEVEL modules use separate routines. There are routines 
for SHA1, and *separate* routines for SHA256, and separate routines 
for SHA384, and separate routines for MD5, and separate routines for 
RIPEMD160. There are routines for AES, and separate routines for 
RC4, and separate routines for Blowfish, and routines for DES and 
"tripleDES" aka DESede that overlap *some* because of the very 
close relationship but separate from all other symmetric ciphers. 
There are routines for RSA, and separate routines for DSA, and 
separate routines for DH, and separate routines for ECDSA, 
and separate routines for ECDH. 

EVP DOES NOT. EVP has *one* set of digest routines used for ALL 
digest algorithms, but with a data object specifying *which* digest.
EVP has *one* set of Cipher routines used for all symmetric ciphers,
with a data object specifying which. EVP has due to history *two* 
sets of asymmetric signature routines, which apply to three (and 
possibly more) asymmetric algorithms specified by data objects.

Thus the EVP equivalent to the SHA256*() lowlevel calls is 
to call the EVP_Digest* routines with a data object specifying 
SHA256, which is exactly what the value of EVP_sha256() is.

The man page named for EVP_DigestInit which also covers 
EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal,
EVP_DigestFinal_ex, and some related routines (although 
the link for EVP_DigestFinal original seems to be missing)
tells you how to do digests with EVP in general. Apparently 
it wasn't updated to list SHA2 digests, but that variation 
should be obvious from documented pattern.
 
> The code I'm adapting to EVP has a first pass of shortening the
> key if too long:
> 
> /* Change key if longer than 64 bytes */
> if (klen > HMAC_INT_LEN) {
>   SHA256(key, klen, nkey);
>   key = nkey;
>   klen = SHA256_DIGEST_LENGTH;
> }
> 
> Before proceeding with the usual SHA256_Init(),
> SHA256_Update() (twice), and SHA256_Final.  All of which I have
> tested with the corresponding EVP_* methods.  For the use of
> SHA256() above, though, I'm puzzled regarding its EVP_*
> counterpart.
> 
If you are implementing HMAC, perhaps for PBKDF2 (which does 
that prehash-if-too-long), I hope you mean the code does 
one hash of ipad+data, which can consist of Init, 2 Updates, 
and Finial (although there are other ways) and then a SECOND 
ENTIRE HASH of opad+innerhash, similarly. If that's not what 
you're doing, you're not doing standard HMAC, so it definitely 
won't be interoperable and may well not be secure, because 
HMAC was defined the way it is precisely because it was found 
the naïve way merely hashing key+data is not reliably secure.

Although if what you want is PBKDF2-HMAC, there is already 
two OpenSSL routines for that (again due to history).


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Performance problems with OpenSSL and threading

[Jeffrey Walton]

> In the future, this may change if/when OpenSSL does another FIPS validation.
> CMVP has changed the implementation guidance that requires the POST to run
> automatically without user intervention.  Any future FIPS validations would
> be subject to the new rules.  Hence, the behavior of FIPS_mode_set() may
> change in the future if OpenSSL decides to pursue another validation.
>
Ouch!

It was bad enough when they pounded the square hardware peg into a
round software hole. I see they lack practical experience in software
development, so now they are forcing folks into doing things that can
be questionable (and even ill-advised on a platform).
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating RSA PrivateKey and PublicKey programmaticallly

[Matt Caswell]

On 28/04/15 22:10, Nayna Jain wrote:
> Is there any other way to store private key and public key rather than
> in PEM format in file ?
> 
> I mean API to store public and private key separately in memory.

You mean like this:
https://www.openssl.org/docs/crypto/d2i_RSAPublicKey

Matt


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating RSA PrivateKey and PublicKey programmaticallly

[Nayna Jain]

Is there any other way to store private key and public key rather than in
PEM format in file ?

I mean API to store public and private key separately in memory.

Thanks & Regards,
Nayna Jain



From:   Matt Caswell 
To: openssl-users@openssl.org
Date:   04/28/2015 08:29 PM
Subject:Re: [openssl-users] Generating RSA PrivateKey and PublicKey
programmaticallly
Sent by:"openssl-users" 





On 28/04/15 15:39, Nayna Jain wrote:
> Hi all,
>
> I want to generate public and private key pair programmatically.
>
> However, I have some basic questions.
>
> The key generated using RSA_generate_key_ex  is actually a key pair ,
> having both private and public key.
> NOw, if I want to extract the public and private keys separately from
> this and want to store it in different privatekey.pem and publickey.pem
> file, how can I do that programmatically.
>
> Also, when openssl genrsa commandline generates the privatekey.pem, does
> it has only private key or also publickey

Take a look at the various PEM_write*PUBKEY() and PEM_write*PrivateKey()
functions here:

https://www.openssl.org/docs/crypto/pem.html

Matt

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS 140-2 on iOS

[Steve Marquess]

On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
> Hi there,
> 
> Total n00b question here. I recently ran across a question on an iOS
> forum where someone was building an app with FIPS 140-2 compliant
> communications.

Note there really is no such thing as "FIPS 140-2 compliant" (though you
see that terms bandied around a lot and I'm guilty of doing so myself).

The term of interest is "FISP 140-2 validated" (n.b.: that's "validated"
not "certified").

> Now, from reading here (mailing lists) about FIPS certification, it
> involves both the bits and the platform. So it would not be possible
> to create an app that is compliant on a platform that hasn't been
> certified. Is that a correct assumption? Or can I build a compliant
> app with just certified libraries?

A Level 1 FIPS 140-2 validation (Level 1 being the most common and the
"easiest") applies to a thing called a "cryptographic module" in the
context of one of more "OEs" or "Operational Environments" (loosely
speaking, "platforms"). Note at Level 1 products are not validated,
operating systems are not validated, only "cryptographic modules" are
validated.

Translated from FIPSspeak, for a software "module" that means a very
specific chunk of executable code running on a specific platform
(operating system and OS version and processor "architecture"). Move
that same code to another platform and it is no longer validated; the
validation is relative to the OEs or platforms.

The only valid reason to use a FIPS 140-2 validated module is that you
must in order to sell your cryptography-using product to the USG or DoD.
For that market you (typically, if the procurement officer is paying
attention) have to use a validated cryptographic module on one of the
OEs specifically listed for that module validation.

So for a software product there is no such thing as validation of the
product independent of the platform (OE) it runs on.

A partial exception to that rule is "user affirmation" per I.G. G.5, but
while technically a legitimate means of satisfying FISP 140-2 validation
requirements that has limited practical value in the USG/DoD market.

Note I'm only discussing Level 1 validations here; Levels 2 and up are
different.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS 140-2 on iOS

[Q Gct]

Hi,

I believe you can make an app that is FIPS compliant: since OpenSSL can be
made FIPS compliant on a non-validated OS, why not an app on iOS? But it
will be FIPS compliant, not FIPS validated app.

Le mar. 28 avr. 2015 21:45, Sec_Aficionado  a
écrit :

> Hi there,
>
> Total n00b question here. I recently ran across a question on an iOS forum
> where someone was building an app with FIPS 140-2 compliant communications.
>
> Now, from reading here (mailing lists) about FIPS certification, it
> involves both the bits and the platform. So it would not be possible to
> create an app that is compliant on a platform that hasn't been certified.
> Is that a correct assumption? Or can I build a compliant app with just
> certified libraries?
>
> Thanks!
>
> Sent from my mobile
> I may have missed some "autocorrections"
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS 140-2 on iOS

[Sec_Aficionado]

Hi there,

Total n00b question here. I recently ran across a question on an iOS forum 
where someone was building an app with FIPS 140-2 compliant communications.

Now, from reading here (mailing lists) about FIPS certification, it involves 
both the bits and the platform. So it would not be possible to create an app 
that is compliant on a platform that hasn't been certified. Is that a correct 
assumption? Or can I build a compliant app with just certified libraries?

Thanks!

Sent from my mobile
I may have missed some "autocorrections"
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I uninitialize OpenSSL properly?

[Alexander]

Am 28.04.2015 um 20:06 schrieb Salz, Rich:
>> Unfortunately this didn't solve my problem, but at least I narrowed it down.
>> The leaks are caused by my call to "SSL_CTX_load_verify_locations", which is
>> essentially "X509_STORE_load_locations".
> 
> Doesn't freeing the SSL_CTX_free release that data?  If not, please file an 
> RT ticket.
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

I am using that command to free my ctx pointer.

I think I don't have the rights to file a ticket (but I could be wrong,
because I have never been to https://rt.openssl.org/ before, much less
filed a ticket). I basically just clicked the button for creating a new
ticket and it told me that this area couldn't be loaded.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SHA256() to EVP_* ?

[jonetsu]

Hello,

What would be the equivalent of the SHA256() function in the EVP
class of methods ?  EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD which is, if not mistaken, a env_md_st
structure.

The code I'm adapting to EVP has a first pass of shortening the
key if too long:

/* Change key if longer than 64 bytes */
if (klen > HMAC_INT_LEN) {
SHA256(key, klen, nkey);
key = nkey;
klen = SHA256_DIGEST_LENGTH;
}

Before proceeding with the usual SHA256_Init(),
SHA256_Update() (twice), and SHA256_Final.  All of which I have
tested with the corresponding EVP_* methods.  For the use of
SHA256() above, though, I'm puzzled regarding its EVP_*
counterpart.

Suggestions, comments appreciated.

Regards.





--
View this message in context: 
http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I uninitialize OpenSSL properly?

[Salz, Rich]

> Unfortunately this didn't solve my problem, but at least I narrowed it down.
> The leaks are caused by my call to "SSL_CTX_load_verify_locations", which is
> essentially "X509_STORE_load_locations".

Doesn't freeing the SSL_CTX_free release that data?  If not, please file an RT 
ticket.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I uninitialize OpenSSL properly?

[Alexander]

Unfortunately this didn't solve my problem, but at least I narrowed it
down. The leaks are caused by my call to
"SSL_CTX_load_verify_locations", which is essentially
"X509_STORE_load_locations".

I found that function in x509_d2.c and I find it suspicious that this
function invokes exactly 4 function calls and leads to 4 memory leaks.
Therefore I assume that I need to undo all of these function calls when
exiting, which are:
- 2x X509_STORE_add_lookup
- 1x X509_LOOKUP_load_file
- 1x X509_LOOKUP_add_dir

How can I clean up everything those 4 functions allocate?

Cheers
Alex

Am 26.04.2015 um 20:14 schrieb Alexander:
> Thanks for the quick reply! I'm sorry, I didn't mean to sound impatient.
> It's just that I read through the archives and so much has been
> happening that I was afraid that my thread would be swamped away unnoticed.
> 
> My problem is most likely an on process exit thing, because I do the
> certificate stuff only once, no matter how long the application is
> running. Therefore it's probably not a big problem, but memory leaks
> look bad, because they imply that I am using OpenSSL improperly.
> 
> Anyway, thanks for the advice on apps_startup and apps_shutdown. I will
> try them out as soon as I can. Those defines do look like salvation from
> all the problems I had finding the right methods to
> initialize/uninitialize OpenSSL properly.
> 
> Have a happy rest of Sunday!
> 
> Cheers
> Alex
> 
> Am 26.04.2015 um 18:33 schrieb Salz, Rich:
>> This isn't paid support; two days isn't a long time to wait :)
>>
>> Is this on process exit?  If so, does it really matter?
>>
>> You might look at the apps_startup and apps_shutdown functions in 
>> apps/openssl.c on the master branch.
>>
>>  /r$
>>
>> --  
>> Senior Architect, Akamai Technologies
>> IM: richs...@jabber.at Twitter: RichSalz
>>
>>
>> ___
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
> 
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Performance problems with OpenSSL and threading

[John Foley]

In the context of OpenSSL 1.0.1 or 1.0.2, this means FIPS_mode_set(1)
has returned with a successful return value. 

In the future, this may change if/when OpenSSL does another FIPS
validation.  CMVP has changed the implementation guidance that requires
the POST to run automatically without user intervention.  Any future
FIPS validations would be subject to the new rules.  Hence, the behavior
of FIPS_mode_set() may change in the future if OpenSSL decides to pursue
another validation.



On 04/28/2015 12:43 PM, Bryan Call wrote:
> What do you mean by “FIPS POST has completed”?
>
> -Bryan
>
>
>
>
>> On Apr 24, 2015, at 4:17 PM, John Foley > > wrote:
>>
>> Some of the algorithms still invoke the FIPS flavor of the algorithm
>> even when FIPS is disabled.  For example, this code is from
>> EVP_DigestUpdate().
>>
>> int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
>> {
>> #ifdef OPENSSL_FIPS
>> return FIPS_digestupdate(ctx, data, count);
>> #else
>> return ctx->update(ctx, data, count);
>> #endif
>> }
>>
>> In 1.0.1, locks 39 and 40 are:
>>
>> # define CRYPTO_LOCK_FIPS39
>> # define CRYPTO_LOCK_FIPS2   40
>>
>> You should try adding some logic to skip the lock in your lock
>> handler when the lock ID is 39 or 40. Again, it should be safe to not
>> lock on these two as long as the FIPS POST has completed.
>>
>>
>>
>> On 04/24/2015 05:56 PM, Bryan Call wrote:
>>> In my last email I ran the benchmark on Fedora 21 (big mistake).  
>>> Here are the results when running it back on the 28/56 core RHEL 6.5
>>> server showing contention in a different place (fips).  Is there a
>>> reason it would be calling into the FIPS code to get a lock of FIPS
>>> is not enabled?
>>>
>>> Contention log:
>>> [Apr 24 21:35:09.731] Server {0x7f5529ccd700} ERROR: contention for
>>> lock - total contention: 70662 waiting: 16 file: fips.c line: 471
>>> type: 40
>>> [Apr 24 21:35:09.732] Server {0x7f55299ca700} ERROR: contention for
>>> lock - total contention: 71605 waiting: 2 file: fips.c line: 107
>>> type: 39
>>>
>>>
>>> Line in in fips that see the contention the most:
>>> [bcall@bm77 trafficserver]$ grep fips.c diags.log | cut -f 19 -d ' '
>>> | sort | uniq -c | sort -rn
>>>  875379 471
>>>  288338 107
>>>  275472 127
>>>
>>>
>>> Different lock types and their contention frequency (multiple
>>> benchmarks):
>>>  875379 40  < - in fips.c
>>>  563810 39  <- also in fips.c
>>>  440518 1
>>>   44145 18
>>>   17447 2
>>>   11356 10
>>>1377 19
>>> 687 12
>>> 532 25
>>> 302 33
>>> 239 9
>>>  58 16
>>>  40 21
>>>  32 11
>>>  19 3
>>>   1 14
>>>
>>>
>>> Code to diable FIPS and log:
>>> #ifdef OPENSSL_FIPS
>>> int mode = FIPS_mode();
>>> Debug("ssl", "FIPS_mode: %d", mode);
>>> mode = FIPS_mode();
>>> if (mode) {
>>>   FIPS_mode_set(0);
>>>   Debug("ssl", "FIPS_mode: %d", mode);
>>> }
>>> #endif
>>>
>>> [Apr 24 21:43:45.860] Server {0x7f7628146800} DEBUG: (ssl) FIPS_mode: 0
>>>
>>> -Bryan
>>>
>>>
>>>
>>>
 On Apr 24, 2015, at 10:56 AM, John Foley >>> > wrote:

 When you create the private key given to SSL_CTX, be sure to
 instantiate a private key for each thread as well.  If you share
 the same key across all threads, this can introduce contention.

 Here are the type 1 & 2 locks:

 # define CRYPTO_LOCK_ERR 1
 # define CRYPTO_LOCK_EX_DATA 2

 Have you checked the OpenSSL error log to see what errors are being
 generated?

 Also, if you disable FIPS, does the thread contention still occur?



 On 04/24/2015 01:36 PM, Bryan Call wrote:
> We are using a single SSL_CTX across all the threads, so I will
> create multiple SSL_CTX per thread.  I implemented dynlock
> callbacks yesterday, but I didn’t see them being used in the tests
> I did.  I also added atomic counters to see what type of locks are
> having contention (see logs below):
>
> Most of the lock contention seems to be around type 2 and type 1
> locks when calling our lock callback.  In the FIPS/POST and
> SSL_CTX recommendations, in your previous email, what types of
> locks would those help with?
>
> Log output:
> [Apr 24 10:21:24.339] Server {0xb31} ERROR:  :178 (SSL_locking_callback)> contention for
> lock - total contention: 3938 waiting: 1 file:
> /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ex_data.c
> line: 496 type: 2
> [Apr 24 10:21:24.754] Server {0xb10a000} ERROR:  :178 (SSL_locking_callback)> contention for
> lock - total contention: 1350 waiting: 1 file:
> /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/err/err_def.c line:
> 343 type: 1
>
>
> -Bryan
>
>
>
>
>> On Apr 23, 2015, at 4:46 PM, John Foley > 

Re: [openssl-users] Performance problems with OpenSSL and threading

[Bryan Call]

What do you mean by “FIPS POST has completed”?

-Bryan




> On Apr 24, 2015, at 4:17 PM, John Foley  wrote:
> 
> Some of the algorithms still invoke the FIPS flavor of the algorithm even 
> when FIPS is disabled.  For example, this code is from EVP_DigestUpdate().
> 
> int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
> {
> #ifdef OPENSSL_FIPS
> return FIPS_digestupdate(ctx, data, count);
> #else
> return ctx->update(ctx, data, count);
> #endif
> }
> 
> In 1.0.1, locks 39 and 40 are:
> 
> # define CRYPTO_LOCK_FIPS39
> # define CRYPTO_LOCK_FIPS2   40
> 
> You should try adding some logic to skip the lock in your lock handler when 
> the lock ID is 39 or 40. Again, it should be safe to not lock on these two as 
> long as the FIPS POST has completed.
> 
> 
> 
> On 04/24/2015 05:56 PM, Bryan Call wrote:
>> In my last email I ran the benchmark on Fedora 21 (big mistake).   Here are 
>> the results when running it back on the 28/56 core RHEL 6.5 server showing 
>> contention in a different place (fips).  Is there a reason it would be 
>> calling into the FIPS code to get a lock of FIPS is not enabled?
>> 
>> Contention log:
>> [Apr 24 21:35:09.731] Server {0x7f5529ccd700} ERROR: contention for lock - 
>> total contention: 70662 waiting: 16 file: fips.c line: 471 type: 40
>> [Apr 24 21:35:09.732] Server {0x7f55299ca700} ERROR: contention for lock - 
>> total contention: 71605 waiting: 2 file: fips.c line: 107 type: 39
>> 
>> 
>> Line in in fips that see the contention the most:
>> [bcall@bm77 trafficserver]$ grep fips.c diags.log | cut -f 19 -d ' ' | sort 
>> | uniq -c | sort -rn
>>  875379 471
>>  288338 107
>>  275472 127
>> 
>> 
>> Different lock types and their contention frequency (multiple benchmarks):
>>  875379 40  < - in fips.c
>>  563810 39  <- also in fips.c
>>  440518 1
>>   44145 18
>>   17447 2
>>   11356 10
>>1377 19
>> 687 12
>> 532 25
>> 302 33
>> 239 9
>>  58 16
>>  40 21
>>  32 11
>>  19 3
>>   1 14
>> 
>> 
>> Code to diable FIPS and log:
>> #ifdef OPENSSL_FIPS
>> int mode = FIPS_mode();
>> Debug("ssl", "FIPS_mode: %d", mode);
>> mode = FIPS_mode();
>> if (mode) {
>>   FIPS_mode_set(0);
>>   Debug("ssl", "FIPS_mode: %d", mode);
>> }
>> #endif
>> 
>> [Apr 24 21:43:45.860] Server {0x7f7628146800} DEBUG: (ssl) FIPS_mode: 0
>> 
>> -Bryan
>> 
>> 
>> 
>> 
>>> On Apr 24, 2015, at 10:56 AM, John Foley >> > wrote:
>>> 
>>> When you create the private key given to SSL_CTX, be sure to instantiate a 
>>> private key for each thread as well.  If you share the same key across all 
>>> threads, this can introduce contention.
>>> 
>>> Here are the type 1 & 2 locks:
>>> 
>>> # define CRYPTO_LOCK_ERR 1
>>> # define CRYPTO_LOCK_EX_DATA 2
>>> 
>>> Have you checked the OpenSSL error log to see what errors are being 
>>> generated?
>>> 
>>> Also, if you disable FIPS, does the thread contention still occur?
>>> 
>>> 
>>> 
>>> On 04/24/2015 01:36 PM, Bryan Call wrote:
 We are using a single SSL_CTX across all the threads, so I will create 
 multiple SSL_CTX per thread.  I implemented dynlock callbacks yesterday, 
 but I didn’t see them being used in the tests I did.  I also added atomic 
 counters to see what type of locks are having contention (see logs below):
 
 Most of the lock contention seems to be around type 2 and type 1 locks 
 when calling our lock callback.  In the FIPS/POST and SSL_CTX 
 recommendations, in your previous email, what types of locks would those 
 help with?
 
 Log output:
 [Apr 24 10:21:24.339] Server {0xb31} ERROR: >>> :178 (SSL_locking_callback)> contention for lock - 
 total contention: 3938 waiting: 1 file: 
 /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ex_data.c line: 496 
 type: 2
 [Apr 24 10:21:24.754] Server {0xb10a000} ERROR: >>> :178 (SSL_locking_callback)> contention for lock - 
 total contention: 1350 waiting: 1 file: 
 /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/err/err_def.c line: 
 343 type: 1
 
 
 -Bryan
 
 
 
 
> On Apr 23, 2015, at 4:46 PM, John Foley  > wrote:
> 
> Looking at your call stack, it appears you're testing with FIPS mode 
> enabled.  There's a lock in FIPS_selftest_failed() that's used to ensure 
> the crypto algorithms inside the FIPS boundary are not utilized until 
> after the POST has completed and passed. Unfortunately this lock remains 
> installed for the lifetime of the process.  We've seen thread contention 
> in this area when using OpenSSL.  One work-around is to modify your 
> handler that you pass to SSL_locking_callback() to not lock when the lock 
> ID is CRYPTO_LOCK_FIPS.  But you would only want to disable this 
> particular lock ID

Re: [openssl-users] Generating RSA PrivateKey and PublicKey programmaticallly

[Matt Caswell]

On 28/04/15 15:39, Nayna Jain wrote:
> Hi all,
> 
> I want to generate public and private key pair programmatically.
> 
> However, I have some basic questions.
> 
> The key generated using RSA_generate_key_ex  is actually a key pair ,
> having both private and public key.
> NOw, if I want to extract the public and private keys separately from
> this and want to store it in different privatekey.pem and publickey.pem
> file, how can I do that programmatically.
> 
> Also, when openssl genrsa commandline generates the privatekey.pem, does
> it has only private key or also publickey

Take a look at the various PEM_write*PUBKEY() and PEM_write*PrivateKey()
functions here:

https://www.openssl.org/docs/crypto/pem.html

Matt

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Generating RSA PrivateKey and PublicKey programmaticallly

[Salz, Rich]

A pair means two.  An RSA keypair is two keys, the public key and the private 
key.  You cannot have one without the other, and you cannot generate them 
separately.  You can, of course, store and use them separately, and must do so.

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Generating RSA PrivateKey and PublicKey programmaticallly

[Nayna Jain]

Hi all,

I want to generate public and private key pair programmatically.

However, I have some basic questions.

The key generated using RSA_generate_key_ex  is actually a key pair ,
having both private and public key.
NOw, if I want to extract the public and private keys separately from this
and want to store it in different privatekey.pem and publickey.pem file,
how can I do that programmatically.

Also, when openssl genrsa commandline generates the privatekey.pem, does it
has only private key or also publickey

Thanks & Regards,
Nayna Jain___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Working with large DH parameters

[jack seth]

Ok I have been doing some experiments with OpenVPN and I can connect using 
1 bit DH parameters.  Any bigger than that up to at least 13824 I get the 
following 'modulus too large' error on the client log:

TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman 
routines:COMPUTE_KEY:modulus too large: error:14098005:SSL 
routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib
Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read error
Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed

Something interesting/weird also happened.  I tried to test 10001, 10002, and 
10004 bit DH to find the exact place I would get the 'modulus too large' error. 
 But the server log reported the DH parameters being 10008 instead.  I did a 
test at 15104 that gave the same error but then I tried two more times and the 
client just sat at the 'initial packet point' like it does with the 16384 bit 
parameters.  So somewhere between 13824 and 16384 it switches between the error 
above and just sitting there 'frozen'.

Questions: 1. Can the modulus error be cured?  2. Do you think the same modulus 
error is going on when the client appears to freeze with parameters larger than 
13824 or is something else going (i.e. why does it freeze instead of giving the 
'modulus error')?  3. Why does the server log report 10001, 10002, 10004 bit DH 
as 10008? 
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

[Salz, Rich]

>  If they have counterparts in TLS that could be used, why wouldn't
> the TLS version show up instead ?

Because they are *the same*  TLS did not take old ciphers and renumber or 
rename them.

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

[jonetsu]

> SSLv3 in the ciphersuite definition means it can be used in
> SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3,
> and then again for TLS1.0, and again for TLS1.1 etc - its just
> defined once and is reused across multiple protocol versions.

Yes, this is what I basically understood.  What was lacking then in my
undestanding, is that :

% OPENSSL_FIPS=1 openssl ciphers -v

Will not output strictly according to FIPS.  Maybe there's no easy way to do
that when the definition of a cipher states otherwise.

Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57764.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

[Matt Caswell]

On 28/04/15 13:31, jonetsu wrote:
>> That refers to the minimum version of the ciphersuite: it
>> doesn't imply that it will only be used in SSLv3 (which is
>> disabled in FIPS mode).
> 
> Hmmm...  I'm sorry but I do not really understand this.  Since openssl is
> run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3
> ciphers show up ?  If they have counterparts in TLS that could be used, why
> wouldn't the TLS version show up instead ?

SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and
later*. A ciphersuite isn't defined once for SSLv3, and then again for
TLS1.0, and again for TLS1.1 etc - its just defined once and is reused
across multiple protocol versions.

Matt

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

[jonetsu]

> That refers to the minimum version of the ciphersuite: it
> doesn't imply that it will only be used in SSLv3 (which is
> disabled in FIPS mode).

Hmmm...  I'm sorry but I do not really understand this.  Since openssl is
run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3
ciphers show up ?  If they have counterparts in TLS that could be used, why
wouldn't the TLS version show up instead ?

Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57762.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ECDSA digest configurations

[Dr. Stephen Henson]

On Mon, Apr 27, 2015, Rajeswari K wrote:

> Hi Steve,
> 
> Thanks for the response.
> 
> We are using openssl-1.0.1j.
> 
> Following is how have configured NID_sha1 and NID_ecdsa_with_sha1.
> 
> We use our own signature and digest methods. But, i see modification of
> digest has issue. If i dont set any digest method, then our signature
> functions are getting used and for digest openssl's sha1, sha256 etc
> functions are getting used.
> 
> I see that configuraiton of NID_ecdsa_with_sha1 has some issue on my setup.
> Please take a look at these configurations and provide  your inputs.
> 
> 
> ECDSA digest structure :
> 
> static const EVP_MD ios_ecdsa_sha1 =
> {
> NID_ecdsa_with_SHA1,
> NID_ecdsa_with_SHA1,
> SHA_DIGEST_LENGTH,
> EVP_MD_FLAG_PKEY_METHOD_SIGNATURE,
> sha1init,
> sha1update,
> sha1final,
> NULL,
> NULL,
> EVP_PKEY_ECDSA_method,
> SHA_CBLOCK,
> sizeof(EVP_MD *)+sizeof(SHA1_CTX)
> };
> 
> RSA digest structure :
> static const EVP_MD ios_sha1_md =
> {
> NID_sha1,
> NID_sha1WithRSAEncryption,
> SHA_DIGEST_LENGTH,
> 0,
> sha1init,
> sha1update,
> sha1final,
> NULL,
> NULL,
> EVP_PKEY_RSA_method,
> SHA_CBLOCK,
> sizeof(EVP_MD *) + sizeof(SHA1_CTX)
> };
> 
> With this update, only RSA ciphers are working fine. But not ECDSA ciphers.
> 

As I said for OpenSSL 1.0.0 and later there is no need for an "ECDSA digest"
the SHA1 digest (which is the one you call "RSA digest") can be used to sign
any appropriate algorithm if you set EVP_MD_FLAG_PKEY_METHOD_SIGNATURE:
but in your example you've set it to 0.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Encryption and Decryption using ECC based certificate private/public key pair

[Jayalakshmi bhat]

Hi Jeff,

Thanks a lot for the detailed explanation. Since I have a requirement to
use the certificate public/private keys for encryption/decryption I believe
I should be able to use  ECDHE based approach.

Regards
Jayalakshmi

On Sun, Apr 26, 2015 at 11:41 PM, Jeffrey Walton  wrote:

> On Mon, Apr 27, 2015 at 12:54 AM, Jayalakshmi bhat
>  wrote:
> > Hello All,
> >
> > I am working on a project where there is need to encrypt and decrypt
> certain
> > data using certificate public/private key pair. So far we were using RSA
> > based certificates. OpenSSL provides good number of API's for RSA based
> > encryption/decryption operation.
> >
> > Now we are planning to support ECDSA based certificates also. I am not
> able
> > to find any encryption/decryption API's in EC context.
> >
> > I wanted to know are there any encryption/decryption API's using ECDSA
> based
> > public/private key pair. Or is there any sample code I can look into.
> ECDSA is a signing algorithm used for authentication. If you want to
> encrypt/decrypt, then you need something else.
>
> In the case of SSL/TLS, the something else is ECDHE. A shared secret
> drops out of the ECDHE key exchange, and that's used to key a channel
> for bulk encryption. The ECDSA signature authenticates ECDHE
> parameters so you know they are authentic (i.e., from the party who
> you expect, and not an adversary).
>
> In addition to ECDHE, another choice is the MQV family of key
> exchanges. Its a family now because MQV leaked some information about
> the private exponent, so Krawczyk provided "Hashed MQV" (HMWV). HMQV
> was later improved by Sarr, Elbaz–Vincent, and Bajard with "Fully
> Hashed MQV" (FHMQV).
>
> As far as encryption systems outside of SSL/TLS, check out Elliptic
> Curve Integrated Encryption Scheme (ECIES). You can do bulk encryption
> and decryption with it also. But it does not use an ECDSA key per se;
> rather, its just a ecPublicKey ASN.1 type.
>
> ECIES a Diffie-Hellman based integrated scheme that combines a Key
> Encapsulation Mechanism (KEM) with a Data Encapsulation Mechanism
> (DEM). The output is a 3-tuple {K,C,T}, where K is a "encrypted shared
> secret" (lots of hand waiving), C is the cipher text and T is an
> authentication tag. In ECIES, K is really half of a ECDHE exchange
> with an ephemeral key. To recover the "encrypted shared secret", the
> person doing the decryption uses their long term static key to perform
> the other half of the key exchange, and that's the shared secret. The
> shared secret is then digested with a KDF and used to key a stream
> cipher and a HMAC.
>
> Jeff
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate template information

[Franks Andy (IT Technical Architecture Manager)]

Hi Jakob, 

  Thanks for the feedback, what you say makes sense, so I'll try and
avoid the non-standard Microsoft thing.

Apologies for the top - posting, I get so used to pressing reply.

Kinds regards,

Andy

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate template information

[Jakob Bohm]

(top posting because OP did so)

Note that as I already said, checking the template name
is usually a mistake, unless you happen to know that
some other software will reject certificates without
specific template names.

It is much more relevant (and should be done even if
the template name is also checked) to check all the
specific certificate properties (extensions, basic
settings, name forms etc.) against the requirements.

Tests such as:

Does it include the required set of key usages and
extended key usages?

Does it include any neither required nor optional
(and thus unwanted) key usages or extended key
usages?

Does the Subject Name have the required form and
the required fields?

Does it include any required "Subject Alternate
Names".

Does it include any unwanted "Subject Alternate
Names".

Is the key of the required type and size?

Is the signature on the certificate of the required
type and size?

Etc. Etc.

Basically, look at valid certificates and create a
test for each of the fields/attributes.

This way, unless some other broken software tests the
template name, the testing will be correct even if at
some later stage a "variant" template is created for
some subset of the certificates used for this purpose.
For example, a special template for servers in the HR
department.

On 28/04/2015 10:08, Franks Andy (IT Technical Architecture Manager) wrote:

Thanks Rich, Jakob.
So, can I use openssl as it is to query the values of the extension on an 
existing certificate do you think? The usual issue seems that people want to 
use openssl to form a request and insert the ms CA template name in there 
otherwise it complains. I don't want to do that, I want to take a presented 
certificate (to freeradius) and perform something in the shell that will check  
against acceptable template names (and that the certificate chains properly, 
but that's not a problem).
I can't find anything on google citing that someone has achieved it so far.
Thanks again.
Andy

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jakob Bohm
Sent: 28 April 2015 04:17
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate template information

On 28/04/2015 02:59, Salz, Rich wrote:

I have need to identify a Microsoft generated certificate's template name, I 
believe as part of oid 1.3.6.1.4.1.311.21.7

Where, in a cert OtherName field?

It is an extension.  Microsoft certificate server (their
bundled CA software) puts the name of the "certificate
template" (analogous to an openssl.cnf section) in a
certificate extension, and a few other Microsoft tools
unfortunately check this name in addition to more
relevant conditions such as EKU values etc.

The form I know of can be implemented as follows in
openssl.cnf (in the [sometemplatename_cert] section of
the file):

# enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
#   OCTET STRING, encapsulates {
# BMPString 'SomeTemplateName'
# }
#   }
1.3.6.1.4.1.311.20.2 = ASN1:BMP:SomeTemplateName

I am not sure about the 1.3.6.1.4.1.311.21.7 OID, but it
might be similar.

Enjoy

Jakob



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate template information

[Franks Andy (IT Technical Architecture Manager)]

Thanks Rich, Jakob. 
So, can I use openssl as it is to query the values of the extension on an 
existing certificate do you think? The usual issue seems that people want to 
use openssl to form a request and insert the ms CA template name in there 
otherwise it complains. I don't want to do that, I want to take a presented 
certificate (to freeradius) and perform something in the shell that will check  
against acceptable template names (and that the certificate chains properly, 
but that's not a problem).
I can't find anything on google citing that someone has achieved it so far.
Thanks again.
Andy

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jakob Bohm
Sent: 28 April 2015 04:17
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate template information

On 28/04/2015 02:59, Salz, Rich wrote:
>> I have need to identify a Microsoft generated certificate's template name, I 
>> believe as part of oid 1.3.6.1.4.1.311.21.7
> Where, in a cert OtherName field?
It is an extension.  Microsoft certificate server (their
bundled CA software) puts the name of the "certificate
template" (analogous to an openssl.cnf section) in a
certificate extension, and a few other Microsoft tools
unfortunately check this name in addition to more
relevant conditions such as EKU values etc.

The form I know of can be implemented as follows in
openssl.cnf (in the [sometemplatename_cert] section of
the file):

# enrollCerttypeExtension (1 3 6 1 4 1 311 20 2)
#   OCTET STRING, encapsulates {
# BMPString 'SomeTemplateName'
# }
#   }
1.3.6.1.4.1.311.20.2 = ASN1:BMP:SomeTemplateName

I am not sure about the 1.3.6.1.4.1.311.21.7 OID, but it
might be similar.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users