[openssl-users] OpenSSL Read and Write in different threads

[NJ]

Hi,

I am using OpenSSL in multi threaded application where I call SSL_read and
SSL_write from two different threads.
I am first establishing DTLS connection over wireless connection to
communicate and to send encrypted messages using OpenSSL.

I am successfully able to send and receive data but wanted to clear the
connection and re-establish the new connection using DTLS. So in other words
do not want the same session reuse.

I am facing Segmentation fault while doing SSL_free and trying to understand
the cause. I am having following questions -

1) OpenSSL manual states that SSL_read and SSL_write should happen from
single thread as the SSL CTX could not be used at the same time. But if the
application takes care of reading and writing synchronously or in safe
manner is it still an issue ?

2) What is the meaning of OpenSSL is multithread safe ? I found various
sample implementations which uses CRYPTO_set_id_callback API to implement
THREAD_setup and cleanup APIs used in DTLS based server implementation. I
believe these APIs prevents the multiple threads to simultaneously access
SSL_ctx at the same time ? But if it is true than why it is not preventing
the SSL_write and SSL_read issue.

3) How to enable debugging option in OpenSSL as I am using gdb but I do not
see any thing except the call stack during Seg Fault.

(gdb)
0xb6e3cc10 in dtls1_get_record() from /usr/lib/libssl.so.1.0.0

Thanks
NJ




 



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Steffen Nurpmeso]

Dennis Clarke wrote in <73f913f0-c7d0-2805-d28c-2273fc8c2...@blastwave.org>:
 |On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:
 |> On 02/01/2019 10:41, Matt Caswell wrote:
 |>>
 |>> On 27/12/2018 08:37, Dmitry Belyavsky wrote:
 |>>> Hello,
 |>>>
 |>>> Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 
 |>>> are unused in
 |>>> this function?
 |>> Looks that way. They should be removed.
 |>>
 |> 
 |> By the way, why aren't any of your test compilers configured to
 |> warn about unused local variables?  It's a common feature in many
 |> compilers and thus a free consistency check that can catch typos.
 |
 |Traditionally ( past four decades ) that was a feature provided by
 |something like 'lint' but I have not seen a lint picker lately other
 |than in the Oracle Studio compiler tools and it certainly isn't open
 |source in any way. Works very well however.

I am not using it, but i occasionally see Christos Zoulas making
commits to the NetBSD version of lint.  They also seem to keep the
code instrumented with comments like "falltrough" etc., for it.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Jakob Bohm via openssl-users]

On 02/01/2019 11:18, Dennis Clarke wrote:

On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:

On 02/01/2019 10:41, Matt Caswell wrote:


On 27/12/2018 08:37, Dmitry Belyavsky wrote:

Hello,

Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 
are unused in

this function?

Looks that way. They should be removed.



By the way, why aren't any of your test compilers configured to
warn about unused local variables?  It's a common feature in many
compilers and thus a free consistency check that can catch typos.


Traditionally ( past four decades ) that was a feature provided by
something like 'lint' but I have not seen a lint picker lately other
than in the Oracle Studio compiler tools and it certainly isn't open
source in any way. Works very well however.



Most traditional lint features have migrated into the compilers
(as warnings).  In this case gcc -Wunused enables a number of
such warnings.

Microsoft Visual C includes an advanced but flawed supplemental
linter in the form of the PREfast (code analysis) feature, which
tries to do semantic consistency checks for things like buffer
sizes and semaphore use.  This is closed source however.


By the way, I wonder if there is a way to tell gcc or clang that
OPENSSL_cleanse doesn't count as usage, without triggering other
warnings (such as not using the value written by by
OPENSSL_cleanse).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Matt Caswell]

On 02/01/2019 10:14, Jakob Bohm via openssl-users wrote:
> On 02/01/2019 10:41, Matt Caswell wrote:
>>
>> On 27/12/2018 08:37, Dmitry Belyavsky wrote:
>>> Hello,
>>>
>>> Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 are 
>>> unused in
>>> this function?
>> Looks that way. They should be removed.
>>
> 
> By the way, why aren't any of your test compilers configured to
> warn about unused local variables?  It's a common feature in many
> compilers and thus a free consistency check that can catch typos.

We do have that, but in this particular case the compiler has been fooled into
thinking that the buffers are used:

int tls1_change_cipher_state(SSL *s, int which)
{
unsigned char *p, *mac_secret;
unsigned char tmp1[EVP_MAX_KEY_LENGTH];
unsigned char tmp2[EVP_MAX_KEY_LENGTH];
unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
unsigned char iv2[EVP_MAX_IV_LENGTH * 2];

...

 err2:
OPENSSL_cleanse(tmp1, sizeof(tmp1));
OPENSSL_cleanse(tmp2, sizeof(tmp1));
OPENSSL_cleanse(iv1, sizeof(iv1));
OPENSSL_cleanse(iv2, sizeof(iv2));
return (0);
}

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Dmitry Belyavsky]

Hello,

On Wed, Jan 2, 2019 at 12:41 PM Matt Caswell  wrote:

>
>
> On 27/12/2018 08:37, Dmitry Belyavsky wrote:
> > Hello,
> >
> > Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 are
> unused in
> > this function?
>
> Looks that way. They should be removed.
>

#7971

-- 
SY, Dmitry Belyavsky
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Dennis Clarke]

On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:

On 02/01/2019 10:41, Matt Caswell wrote:


On 27/12/2018 08:37, Dmitry Belyavsky wrote:

Hello,

Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 
are unused in

this function?

Looks that way. They should be removed.



By the way, why aren't any of your test compilers configured to
warn about unused local variables?  It's a common feature in many
compilers and thus a free consistency check that can catch typos.


Traditionally ( past four decades ) that was a feature provided by
something like 'lint' but I have not seen a lint picker lately other
than in the Oracle Studio compiler tools and it certainly isn't open
source in any way. Works very well however.

Dennis
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Dmitry Belyavsky]

Dear Jakob,

On Wed, Jan 2, 2019 at 1:14 PM Jakob Bohm via openssl-users <
openssl-users@openssl.org> wrote:

> On 02/01/2019 10:41, Matt Caswell wrote:
> >
> > On 27/12/2018 08:37, Dmitry Belyavsky wrote:
> >> Hello,
> >>
> >> Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 are
> unused in
> >> this function?
> > Looks that way. They should be removed.
> >
>
> By the way, why aren't any of your test compilers configured to
> warn about unused local variables?  It's a common feature in many
> compilers and thus a free consistency check that can catch typos.
>
> Of cause doing so requires establishing a coding standard for how
> to silence such warnings where a local variable is used only in
> conditionally compiled code.
>

I think that compiler treats them as used, because buffers are static and
cleansed at the end of the function.

-- 
SY, Dmitry Belyavsky
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Jakob Bohm via openssl-users]

On 02/01/2019 10:41, Matt Caswell wrote:


On 27/12/2018 08:37, Dmitry Belyavsky wrote:

Hello,

Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 are unused in
this function?

Looks that way. They should be removed.



By the way, why aren't any of your test compilers configured to
warn about unused local variables?  It's a common feature in many
compilers and thus a free consistency check that can catch typos.

Of cause doing so requires establishing a coding standard for how
to silence such warnings where a local variable is used only in
conditionally compiled code.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl async support

[Matt Caswell]

On 27/12/2018 15:07, ASHIQUE CK wrote:
> Hi all,
> 
>           Thanks for the earlier reply. But still Iam facing issue regarding 
> the
> asynchronous job operation.
> 
>            I have implemented asynchronous job operation partially. I am now
> getting requests asynchronously ie. getting the next request after calling
> ASYNC_pause_job from the first request. But I am unable to resume the paused
> jobs after job completion.
> 
> Test setup consists of a nginx server and three SSL client apps.
> 
> I have got the first 16kb processing request (AES-GCM encryption/decryption)
> from client1 and have submitted the request to the engine and done
> ASYNC_pause_job, so client1 entered into waiting state. But when we run the
> client2 app, the first job went into ASYNC_FINISH state before job completion.
> Similarly, when we run the client3 app, the second job went into ASYNC_FINISH
> state. Can you help regarding this?

It's unclear from your description what you are doing or what exactly the issue
is. Are you able to share some code to show us what is happening?

Matt




> 
> 
> 
> On Wed, Dec 19, 2018 at 5:33 PM ASHIQUE CK  > wrote:
> 
> Gentle reminder
> 
> On Tue, Dec 18, 2018 at 4:06 PM ASHIQUE CK  > wrote:
> 
> Hi all,
> 
> I truly understand that everyone might be busy with your work and 
> didn't
> found time to reply. That's okay, but incase you have accidendly 
> forgot
> to reply, please accept this as a gentle reminder.
> 
> 
> 
> 
> 
> On Mon, Dec 17, 2018 at 6:11 PM ASHIQUE CK  > wrote:
> 
> Hi all,
> 
> I have some queries regarding OpenSSL async operation.
> 
> Current setup
> -
> I have one*OpenSSL dynamic engine (with RSA and AES-GCM support)
> *and linked it with *Nginx* server. Multiple *WGET* commands on 
> the
> client side.
> 
> Current issue
> -
>  Since OpenSSL *do_cipher call *(the function in which actual
> AES-GCM encryption/decryption happening) comes from one client at 
> a
> time which is reducing file downloading performance. So we need an
> *asynchronous operation in OpenSSL* ie. we need multiple do_cipher
> calls at the same time from which we should submit requests to HW
> without affecting the incoming requests and should wait for HW 
> output.
> 
> Queries
> 
>  1) Is there is any other scheme for multiple do_cipher calls at a
> time?. 
>  2) Any method to enable asynchronous call from OpenSSL?   
> 
> Versions
> -
> Openssl - 1.1.0h
> Nginx1.11.10
> Wget 1.17.1
> 
>  Kindly support me. Please inform me if any more inputs needed.
> Thanks in advance.
> 
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Authentication over ECDHE

[Jakob Bohm via openssl-users]

On 29/12/2018 22:33, Richard Levitte wrote:

In message <20181229.170846.804158981742723988.levi...@openssl.org> on Sat, 29 Dec 
2018 17:08:46 +0100 (CET), Richard Levitte  said:


In message <38b97114-0c66-40ed-f631-58aa20940...@gmx.de> on Sat, 29 Dec 2018 14:19:47 +0100, 
"C.Wehrmeyer"  said:


...

What's wrong with that, you ask? Let me show you how I'd have done
that:


static const unsigned char ssl3_pad_1[] =
{
 ""
 ""
 ""
 ""
 ""
 ""
};

static const unsigned char*ssl3_pad_2[] =
{
 ""
 ""
 ""
 ""
 ""
 ""
};

So, no. I don't trust anyone. Especially not this mess of a code.

You do know that your string insert NUL bytes, right?  If you have a
look at how they're used, you might see why those stray NUL bytes
aren't a good thing.

Never mind this remark...  For some reason, my brain added commas
after each partial string.  Meh...



It still inserts NUL bytes at the end of each array, changing
sizeof(array) as well as cache access patterns (and thus side
channel effects).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] tls1_change_cipher_state

[Matt Caswell]

On 27/12/2018 08:37, Dmitry Belyavsky wrote:
> Hello,
> 
> Am I right supposing that local variables tmp1, tmp2, iv1, and iv2 are unused 
> in
> this function?

Looks that way. They should be removed.

Matt


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users