RE: Missing header file ts_local.h in install location.

[BENTLEY Thom via openssl-users]

Is it possible that OPENSSL_NO_DEPRECATED_3_0 is defined and that’s what’s 
causing the issue with DCMTK configuration?
>From ts.h:
# ifndef OPENSSL_NO_DEPRECATED_3_0
#  define TS_VERIFY_CTS_set_certs(ctx, cert) TS_VERIFY_CTX_set_certs(ctx,cert)
# endif
STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) 
*certs);



Thom Bentley | Senior Software Engineer | Medidata, a Dassault Systèmes 
company

From: Tomas Mraz 
Sent: Monday, July 1, 2024 4:12 AM
To: BENTLEY Thom ; Matt Caswell ; 
openssl-users@openssl.org
Subject: Re: Missing header file ts_local.h in install location.

Yes, they should search for TS_VERIFY_CTX_set_certs or TS_VERIFY_CTX_set_flags 
(that would work for 1. 1. 1 as well). Tomas Mraz, OpenSS On Fri, 2024-06-28 at 
20: 04 +, BENTLEY Thom wrote: > > > > Does this Bing CoPilot response


Yes, they should search for TS_VERIFY_CTX_set_certs or

TS_VERIFY_CTX_set_flags (that would work for 1.1.1 as well).



Tomas Mraz, OpenSS



On Fri, 2024-06-28 at 20:04 +, BENTLEY Thom wrote:

>

>

>

> Does this Bing CoPilot response suggest that DCMTK’s CMake

> configuration should be searching for a different function name?

>

> The HAVE_OPENSSL_PROTOTYPE_TS_VERIFY_CTS_SET_CERTS is a macro that

> checks for the existence of the TS_VERIFY_CTS_set_certs function in

> OpenSSL1. This function is used to set the server’s certificate chain

> when verifying a TimeStampToken (TST)1.

>

> However, starting from OpenSSL 3.0.0, the correct spelling of the

> function is TS_VERIFY_CTX_set_certs, and the misspelled

> version TS_VERIFY_CTS_set_certs has been retained for compatibility

> reasons, but it is deprecated1.

>

> This could potentially cause issues if DCMTK 3.6.8 is not properly

> configured to handle this change in OpenSSL 3.0.8.

>

>

>

>

>

>

> Thom Bentley| Senior Software Engineer |

> Medidata, a Dassault Systèmes company

>

>

>

> From: Matt Caswell mailto:m...@openssl.org>>

> Sent: Friday, June 28, 2024 11:54 AM

> To: BENTLEY Thom mailto:thom.bent...@3ds.com>>; Tomas 
> Mraz

> mailto:to...@openssl.org>>; 
> openssl-users@openssl.org

> Subject: Re: Missing header file ts_local.h in install location.

>

>

>

> On 28/06/2024 16: 29, BENTLEY Thom via openssl-users wrote: > Thanks.

> Yes, I saw that they became opaque. > The code I’m building works

> fine with 1. 1. 1w but we need to move to > 3. 0. 8 at least. > Here

> are the errors I see. > >

>

>

>

> On 28/06/2024 16:29, BENTLEY Thom via openssl-users wrote:

> > Thanks.  Yes, I saw that they became opaque.

> > The code I’m building works fine with 1.1.1w but we need to move to

> > 3.0.8 at least.

> > Here are the errors I see.

> >

> > dcmdsig:

> > 16:34:48:290

> > 19>C:\repos\mmi-director-dcmtk-3.6.8\dcmtk-

> > 3.6.8\dcmsign\libsrc\sitstamp.cc(1342,5): error C2027: use of

> > undefined type 'TS_verify_ctx'

> > 16:34:48:290

> > 19>C:\repos\mmi-director-dcmtk-3.6.8\openssl-

> > 3.0.8\include\openssl\ts.h(405,16):

> > 16:34:48:290 19>see declaration of 'TS_verify_ctx'

>

>

> It looks to me like DCMTK needs updating to use OpenSSL 3.x

>

> This particular error occurs because line 1342 of sitstamp.cc looks

> like

> this:

>

>  TS_VERIFY_CTS_set_certs(ctx, NULL);

>

> Earlier on in that file we see this:

>

> #ifndef HAVE_OPENSSL_PROTOTYPE_TS_VERIFY_CTS_SET_CERTS

> #define TS_VERIFY_CTS_set_certs(x,y) ((x)->certs = (y))

> #endif

>

> So if HAVE_OPENSSL_PROTOTYPE_TS_VERIFY_CTS_SET_CERTS isn't defined

> then

> it will attempt to look inside the TS_VERIFY_CTX structure - which is

> not allowed from 1.1.1 onwards because it is opaque.

>

> My guess is the setting of

> HAVE_OPENSSL_PROTOTYPE_TS_VERIFY_CTS_SET_CERTS is going wrong with

> OpenSSL 3.X

>

> It seems to get defined by Cmake/dcmtkPrepare.cmake:

>

>CHECK_FUNCTIONWITHHEADER_EXISTS("TS_VERIFY_CTS_set_certs(0,0)"

> "openssl/ts.h" HAVE_OPENSSL_PROTOTYPE_TS_VERIFY_CTS_SET_CERTS)

>

> Indeed that function header does *not* exist in 3.x because it is

> instead a macro:

>

> # ifndef OPENSSL_NO_DEPRECATED_3_0

> #  define TS_VERIFY_CTS_set_certs(ctx, cert)

> TS_VERIFY_CTX_set_certs(ctx,cert)

> # endif

>

> In 1.1.1 this was a full C function so the cmake detection would have

> worked correctly there.

>

> Matt

>

>

>

> >

> > dcmpstat:

> > 16:36:48:689

> > 34>C:\repos\mmi-director-dcmtk-3.6.8\openssl-

> > 3.0.8\include\openssl\types.h(104,30): error C2371: 'EVP_MD_CTX':

> > redefinition; different basic types

> > 16:36:48:753 34>(compiling source file

> > '../../../dcmtk-3.6.8/dcmpstat/libsrc/dvsighdl.cc')

> > 16:36:48:753

> > 34>C:\repos\mmi-director-dcmtk-3.6.8\dcmtk-

> > 3.6.8\dcmsign\include\dcmtk\dcmsign\simdmac.h(39,30):

> > 16:36:48:753 34>see declaration of 'EVP_MD_CTX'

> >

> > dcmtls:

> > 16:35:16:392

> > 26>C:\repos\mmi-director-dcmtk-3.6.8\dcmtk-

> > 3.6.8\dcmtls\libsrc\tlsciphr.cc(238,32): error C2027: use of

> > 

Re: ECDH Group 19 (256-bit Elliptic curve) key length

[Tomas Mraz]

You should use some Key Derivation Function (KDF) to derive a key from
this shared secret. For example TLS-1.3 uses HKDF for that.

The best way would be to use TLS-1.3 (or some other standardized secure
protocol) directly instead of inventing and implementing your own
protocol though.

Tomas Mraz, OpenSSL


On Mon, 2024-07-08 at 12:47 +, Vishal Kevat via openssl-users
wrote:
> 
> 
> 
> Hi OpenSSL,
>  
> I am using group 19 which is ECDH elliptic curve group
> (NID_X9_62_prime256v1)and is giving 32 bytes/256 bit of shared secret
> key.
>  
> I want to use it to work with AES-128 CBC encryption algorithm. As
> the key length generated by ECDH is 32 bytes, is there any way to
> generate the key length of 16 bytes/128 bit with group 19 ECDH
> algorithm?
>  
> On one of the article, it is mentioned that encryption or
> authentication algorithms with a 128-bit key to be used for Diffie-
> Hellman groups 5, 14, 19, 20 or 24.
> Link:
> https://community.cisco.com/t5/security-knowledge-base/diffie-hellman-groups/ta-p/3147010
> Please let me know if group 19 can generate 128 bit key length by any
> means.
>  
> Regards,
> Vishal Kevat
>  
>  
> 
> General

-- 
Tomáš Mráz, OpenSSL

ECDH Group 19 (256-bit Elliptic curve) key length

[Vishal Kevat via openssl-users]

Hi OpenSSL,

I am using group 19 which is ECDH elliptic curve group (NID_X9_62_prime256v1) 
and is giving 32 bytes/256 bit of shared secret key.

I want to use it to work with AES-128 CBC encryption algorithm. As the key 
length generated by ECDH is 32 bytes, is there any way to generate the key 
length of 16 bytes/128 bit with group 19 ECDH algorithm?

On one of the article, it is mentioned that encryption or authentication 
algorithms with a 128-bit key to be used for Diffie-Hellman groups 5, 14, 19, 
20 or 24.
Link: 
https://community.cisco.com/t5/security-knowledge-base/diffie-hellman-groups/ta-p/3147010
[cid:image001.png@01DAD162.CFD84BB0]
Please let me know if group 19 can generate 128 bit key length by any means.

Regards,
Vishal Kevat




General

FIPS with Openssl 3.1

[Stiju]

Hi,

I am working to package OpenSSL 3.1.x with my product.
As I prefer to be FIPS complaint, I would like to use FIPS module from
OpenSSL 3.0.9.

1) From the Documentation(
https://github.com/openssl/openssl/blob/master/README-FIPS.md)  , what I
understood is,
   I need to build and install OpenSSL 3.1.x to the location. and then
install fips from OpenSSL3.0.9 overlaying the 3.1.x install.  Am I right
with my understanding? or is there any other way 3.1.x built with FIPS
module from 3.0.9. like in OpenSSL 1.0.x ( like using --with-fipsdir etc).


2) Also , I need conformation on FOM FIPS certification
   I build fips.so from 3.0.9  source , can I claim FIPS
compliance directly based on the certificate (
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282)
given to the FOM. I am building OpenSSL on Alma Linux.
  I assume its a yes, Please let me know if I am wrong.



-- 


  Stiju Easo


 The unexamined life is not worth living for man.
  Socrates, in Plato, Dialogues, Apology
  Greek philosopher in Athens (469 BC - 399 BC)