Re: SSL attack scenario

2009-05-18 Thread Nikos Balkanas 
Wikipedia is right in principle, but doesn't cover the case of TCP 
hijacking. By reliable delivery guarantee, it means the transport layer, 
once the data has left the application layer (i.e when is placed on the 
wire). Of course no guarantees are offerred for the application layer, where 
the application is free to send anything it wants.


It would require a lot of effort, but a transparent proxy, can rewrite IP 
source headers, sequence numbers, ACKs and if it has followed all algos and 
key exchanges, even regenerate those. HMAC is nothing more than a glorified 
CRC encoded with some secret exchanged at the start. If anyone captures that 
secret can regenerate all MACs.


Transparent proxies and gateways are always a concern in security,

BR,
Nikos

- Original Message - 
From: "Andrey Koltsov" 

To: 
Sent: Monday, May 18, 2009 8:59 AM
Subject: Re: SSL attack scenario



JoΓ£o TΓ΅vora ΠΏΠΈΡ�ΠµΡ‚:
What this article says is this: if you *received* data from TCP connection 
it will be "without duplication or losing data". It doesn't say: if you 
*send* data it will be received correctly by other host. It's impossible 
to garantee.


--
Andrey Koltsov


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_write retruns with SSL_ERROR_WANT_WRITE on a non-blocking socket. Do I need to re-insert the same data when socket is ready.

2009-05-12 Thread Nikos Balkanas 
Well, the manual clearly states about looping the SSL_write call. You can 
say what you want about it, but i have verified it in practice. Also it 
doesn't say anything about sched_yield, that's something you have to figure 
out on your own. You can either loop endlessly around the SSL_write call, 
burning up CPU cycles, or relinguish CPU to something more useful. I will 
not even try to suggest to you which is more efficient.


Nikos
- Original Message - 
From: "David Schwartz" 

To: 
Sent: Tuesday, May 12, 2009 2:03 PM
Subject: RE: SSL_write retruns with SSL_ERROR_WANT_WRITE on a non-blocking 
socket. Do I need to re-insert the same data when socket is ready.





Nikos Balkanas wrote:

>> To make it clearer. Select or poll will return as soon as the socket 
>> is

>> writable. However, SSL still needs to negotiate keys and
>> encryption with the
>> peer before you can exchange any data. This is handled
>> transparently for you
>> in each SSL_write call. Therefore SSL replies to you "Yes the socket 
>> is

>> writeable, but I am not done yet with the handshake".


> That would be SSL_ERROR_WANT_READ. If you get SSL_ERROR_WANT_WRITE, 
> that

> means OpenSSL found that the socket was not wriable.



No. SSL doesn't decide that. It is done at a lower level. It is
decided by
poll or select.


Huh? SSL knows whether it was trying to read from the socket or write to 
the

socket when it encountered a 'WOULDBLOCK' error. If nothing changes (and
nothing can change unless you call into OpenSSL) it will repeat that same
operation the next time you call. So it is OpenSSL that will tell you 
which

direction it needs. It will not return a 'WANT_WRITE' error unless a write
returned a 'WOULDBLOCK' error.


The socket is writable the minute it unblocks (without
errors other than SSL_*). And can be either SSL_WRITE or
SSL_read. Read the
manual.


Huh? I've read this about five times and I can't figure out what you're
trying to say.


>> When you get SSL_ERROR_WANT_WRITE  none of your data is written to the
>> socket.



> There is no such guarantee. OpenSSL may have written some, all,
> or none of
> your data to the socket. All that you know is:



Yes, there is. By poll. If you get an error, your data is not written.


Again, huh? The 'poll' function will tell you if the socket is writable or
not, but if you call SSL_write and get a 'WANT_WRITE' return value, you 
have
no way of knowing what OpenSSL may or may not have sent over the socket. 
The

API is specifically designed so that you don't need to know.

For example, suppose you go to send 148 bytes with a call to SSL_write. 
This

forms an encrypted block of, say, 256 bytes. OpenSSL calls SSL_write and
sends 180 of those bytes. This may or may not allow the other end to 
decrypt

any of them (and it probably won't allow it to checksum any of them). What
should SSL_write return? (It cannot return 148, because if it does, you
won't call SSL_write again even if the socket becomes writable). So it
*must* return WANT_WRITE even though it sort of wrote some of the data.


> 1) OpenSSL needs the socket to be writable to make further progress in
> this
> direction.
>
> 2) You must provide the same data to OpenSSL the next time you call
> SSL_write.



Not necessarily, if you are using moving_buffers.


You are mistaken. Moving buffers is about the buffers moving. It does not
change the requirements about the contents of the buffers. If you call
SSL_write to send 148 bytes of data and it winds up sending, say, 128 of 
the

256 bytes this encrypt to, OpenSSL will have to return WANT_WRITE. If you
try to send anything other than those same 148 bytes of data (and possibly
some after it), things will break. This is fundamental to the way the API 
is

designed. UNIX does not provide an 'all or nothing' write function so
OpenSSL can't either.



>> You need to put it in a loop and call select or poll
>> again. If you
>> want to be efficient and not do many loops, put a sched_yield();
>> inside your
>> loop.



> That would be pointless. The 'select' or 'poll' function
> permits efficient
> blocking and beneficial context switches. Adding a sched_yield only 
> adds

> context switches where they are not necessary and blows out the caches.



Not in the case of SSL. Once poll unblocks SSL still needs the
socket to do
its stuff. If you try to write or read, the minute poll unblocks
you, will
be in trouble. You have to wait, in a loop, sometimes 50 loops.
To be more
CPU efficient, you can use sched_yield(), but it is up to you.


I have no idea what you're talking about, but this makes *NO* sense. You
most certainly should try to write or read the instant poll unblocks. 
There

Re: SSL_write retruns with SSL_ERROR_WANT_WRITE on a non-blocking socket. Do I need to re-insert the same data when socket is ready.

2009-05-12 Thread Nikos Balkanas 

See inlined answers. Next time don't truncate the thread.




To make it clearer. Select or poll will return as soon as the socket is
writable. However, SSL still needs to negotiate keys and
encryption with the
peer before you can exchange any data. This is handled
transparently for you
in each SSL_write call. Therefore SSL replies to you "Yes the socket is
writeable, but I am not done yet with the handshake".


That would be SSL_ERROR_WANT_READ. If you get SSL_ERROR_WANT_WRITE, that
means OpenSSL found that the socket was not wriable.


No. SSL doesn't decide that. It is done at a lower level. It is decided by 
poll or select. The socket is writable the minute it unblocks (without 
errors other than SSL_*). And can be either SSL_WRITE or SSL_read. Read the 
manual.



When you get SSL_ERROR_WANT_WRITE  none of your data is written to the
socket.



There is no such guarantee. OpenSSL may have written some, all, or none of
your data to the socket. All that you know is:


Yes, there is. By poll. If you get an error, your data is not written.

1) OpenSSL needs the socket to be writable to make further progress in 
this

direction.

2) You must provide the same data to OpenSSL the next time you call
SSL_write.


Not necessarily, if you are using moving_buffers.


However, it is entirely legal within the specification for all the data to
appear on the other end of the connection. (Though in practice, this won't
happen.)


You need to put it in a loop and call select or poll
again. If you
want to be efficient and not do many loops, put a sched_yield();
inside your
loop.


That would be pointless. The 'select' or 'poll' function permits efficient
blocking and beneficial context switches. Adding a sched_yield only adds
context switches where they are not necessary and blows out the caches.


Not in the case of SSL. Once poll unblocks SSL still needs the socket to do 
its stuff. If you try to write or read, the minute poll unblocks you, will 
be in trouble. You have to wait, in a loop, sometimes 50 loops. To be more 
CPU efficient, you can use sched_yield(), but it is up to you.


It's all in the manual. Read it.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_write retruns with SSL_ERROR_WANT_WRITE on a non-blocking socket. Do I need to re-insert the same data when socket is ready.

2009-05-11 Thread Nikos Balkanas 

Hi,

To make it clearer. Select or poll will return as soon as the socket is 
writable. However, SSL still needs to negotiate keys and encryption with the 
peer before you can exchange any data. This is handled transparently for you 
in each SSL_write call. Therefore SSL replies to you "Yes the socket is 
writeable, but I am not done yet with the handshake".


When you get SSL_ERROR_WANT_WRITE  none of your data is written to the 
socket. You need to put it in a loop and call select or poll again. If you 
want to be efficient and not do many loops, put a sched_yield(); inside your 
loop.


BR,
Nikos
- Original Message - 
From: "David Schwartz" 

To: 
Sent: Monday, May 11, 2009 8:53 PM
Subject: RE: SSL_write retruns with SSL_ERROR_WANT_WRITE on a non-blocking 
socket. Do I need to re-insert the same data when socket is ready.





The short answer to the question in your subject is "yes", you have made a
contract with OpenSSL to do so, so you sould fulfill that contract.


Non-Blocking socket.



called SSL_write with data (say 'abc123') and socket 'h'.
Then 'SSL_get_error' found error code SSL_ERROR_WANT_WRITE.


That means that the SSL_write function cannot make forward progress until
the socket becomes writable. You have made a contract to send 'abc123' as
the next six bytes of data, and you cannot change that.


after some time call to 'select' detected that socket 'h' is
writable. (Does it mean that data 'abc123' was written successfully ?)


The question is ambiguous. But since you made a contract to send the data
'abc123', you are still required to send it, whether or not OpenSSL 
actually
needs to get that data from you. (It might need the data, or it might 
ignore

the next six bytes since it knows they're 'abc123', that's not your
business.)


Then I have to insert more data (say 'def567'). So before inserting
this data should I re-insert 'abc123' data too ?


Assuming you set MOVING_WRITE_BUFFER (which you should), you can send any
data you want, but you must repeat the send of 'abc123' (possibly with
additional data at the same time).

Because the return value of SSL_write was not a positive integer, no data
was logically consumed between the application and OpenSSL. So you must
re-send the same data, whether or not OpenSSL actually needs it. 
(Otherwise,

there would be no way to know what data needed to be sent and what didn't
without a more complex interface.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Openssl Memory leak

2009-05-07 Thread Nikos Balkanas 
70 KB is nothing nowadays. Besides each thread has its memory requirements, and 
memory is supposed to increase the more threads you use. Even if the threads 
reduce (lower load) memory may not go all the way back, because of global 
structures that have grown due to the load. But after several cycles, memory 
should stabilize when releasing threads.

Best way is to put it through valgrind, but I expect that this is already been 
done by the developers in the group.

BR,
Nikos
  - Original Message - 
  From: Fabian Bergmark 
  To: openssl-users@openssl.org 
  Sent: Thursday, May 07, 2009 4:49 PM
  Subject: Re: Openssl Memory leak


  After some investigation I've figured out that the memory leak isn't caused 
by running Openssl in threads. However, after about 200 connections, may vary, 
the used memory increases with around 70 kb. Is this normal? I guessed it's 
allocated by the openssl library


  2009/5/6 Fabian Bergmark 

Okey. Now i got no more memory leaks when I put the SSL code in main. 
However, if i try to put the exact same code in a thread the memory leak is 
back.

Here is the essential code I'm using;

void lcserver::start()
{
SSL_library_init();
SSL_load_error_strings();
method = SSLv23_server_method();
ctx = SSL_CTX_new(method);

Some windows socket code...

while(acceptsocket = accept(listensocket,(sockaddr*)&sin,&len))
{
struct clientinfo *client;
client = new struct 
clientinfo(acceptsocket,sin.sin_addr.s_addr,clientid++,this,rooms[0]->getthis(),ctx);
client->M1();
}
}

void clientinfo::M1()
{
CreateThread(0,0,(LPTHREAD_START_ROUTINE)M2,(LPVOID)this,0,0);
}

void clientinfo::M2(LPVOID param)
{
clientinfo* Call = (clientinfo*)param;
Call->listenfor();
delete Call;
return;
}

void clientinfo::listenfor()

{
SSL_set_bio(ssl,bio,bio);
SSL_accept(ssl);

while(SSL_shutdown(ssl) == 0)
;
SSL_free(ssl);
ERR_remove_state(0);
}

Just running this code which shouldn't leave any allocated memory, about 12 
kb ram is still allocated. 



2009/5/5 Nikos Balkanas 


  Hi,

  Check the return value of SSL_shutdown(ssl). Sometimes it needs up to 4 
iterations to complete due to internal state machine. It completes when the 
value != 0. Hope it helps.

  BR,
  Nikos
- Original Message - 
From: Fabian Bergmark 
To: openssl-users@openssl.org 
Sent: Tuesday, May 05, 2009 9:13 PM
Subject: Openssl Memory leak


Hi

I am currently writing a Chat application using the Openssl library for 
encryption. It's a multi-thread application and every client is managed by a 
different thread.
However, ever since I implemented Openssl there seams to be a memory 
leak of around 10 kb.
My openssl-code code is looking like following:

SSL_set_bio(ssl,bio,bio);
SSL_accept(ssl);
SSL_shutdown(ssl);
SSL_free(ssl);

where bio and ssl is class objects where BIO is set like

bio = BIO_new_socket(s,BIO_NOCLOSE)

The increased memory does not occur before SSL_accept(ssl). The first 
time a client connect about a 100 kb is allocated, which I suppose is due to 
some initialising function. For each new client about 0-20 kb are still 
allocated after 

SSL_shutdown(ssl);
SSL_free(ssl);

is issued. Is there some cleanup functions im forgetting?

I am using windows btw.

Re: Openssl Memory leak

2009-05-05 Thread Nikos Balkanas 
Hi,

Check the return value of SSL_shutdown(ssl). Sometimes it needs up to 4 
iterations to complete due to internal state machine. It completes when the 
value != 0. Hope it helps.

BR,
Nikos
  - Original Message - 
  From: Fabian Bergmark 
  To: openssl-users@openssl.org 
  Sent: Tuesday, May 05, 2009 9:13 PM
  Subject: Openssl Memory leak


  Hi

  I am currently writing a Chat application using the Openssl library for 
encryption. It's a multi-thread application and every client is managed by a 
different thread.
  However, ever since I implemented Openssl there seams to be a memory leak of 
around 10 kb.
  My openssl-code code is looking like following:

  SSL_set_bio(ssl,bio,bio);
  SSL_accept(ssl);
  SSL_shutdown(ssl);
  SSL_free(ssl);

  where bio and ssl is class objects where BIO is set like

  bio = BIO_new_socket(s,BIO_NOCLOSE)

  The increased memory does not occur before SSL_accept(ssl). The first time a 
client connect about a 100 kb is allocated, which I suppose is due to some 
initialising function. For each new client about 0-20 kb are still allocated 
after 

  SSL_shutdown(ssl);
  SSL_free(ssl);

  is issued. Is there some cleanup functions im forgetting?

  I am using windows btw.

Re: I want you to do my homework for me.

2009-05-04 Thread Nikos Balkanas 
Hi,

Isn't the abusive language and attitude used by Miguel good reason to ban 
him/her from this group? Although it was taken as humorous in the beginning, it 
seems that a lot of users were put off by his message.

BR,
Nikos
  - Original Message - 
  From: Robert Butler 
  To: openssl-users@openssl.org 
  Sent: Monday, May 04, 2009 4:01 PM
  Subject: Re: I want you to do my homework for me.


  Hi Alan,

  I do apologize for the outburst in the mailing list over the weekend.  But 
he's succeeded in pushing my buttons. I do recommend 
  though, that you read over the entirety of the thread / message in question, 
and not just my response to "Miguel."  He has been 
  making warrant-less threats, accusations, and demands since early Saturday.

  I  tried being polite out of respect for the mailing list.  That being said,  
I resent greatly labeling of me in the way that he has, and 
  merely  wished to  be overly blunt to demonstrate that I could have posted 
far worse, far earlier, however had exhibited restraint 
  due to the fact that this -is- a public mailing list.  Though, what I'd 
posted was more from frustration than anything else.

  Once again, I apologize for -my- behavior.
  - Robert

  On Mon, 2009-05-04 at 10:16 +0100, a.l.m.bu...@lboro.ac.uk wrote: 
Hi,

> No. I was trying to be polite, 


excuse me? This is a general open public mailing list for OpenSSL.

this sort of abusive language has no place here - its read by a mixture 
of professional, non-professional, adults, children, researchers,
computer users etc. foul language has its place in other, more
appropriate locations.

please take some responsibility and be responsible

I can see no purpose of this silly thread other than to disrupt
an otherwise useful and normal mailing list. 


alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: I want you to do my homework for me.

2009-05-03 Thread Nikos Balkanas 

Yes, mistress. Immediately.

- Original Message - 
From: "Miguel Ghobangieno" 

To: 
Sent: Sunday, May 03, 2009 10:14 AM
Subject: Re: I want you to do my homework for me.




Libssl should be rewritten in java on ruby upon rails (the bottom rail, 
which is now on top). This is not a suggestion. It is a demand. You _MUST_ 
comply.


--- On Sat, 5/2/09, Frans de Boer  wrote:


From: Frans de Boer 
Subject: Re: I want you to do my homework for me.
To: openssl-users@openssl.org
Date: Saturday, May 2, 2009, 9:43 PM
On Sat, 2009-05-02 at 07:19 -0700,
Miguel Ghobangieno wrote:
> I'd like to do some crypto homework. It entails
rebuilding the openssl
> library on windows 8 (C###). I'd like you to deatail
the _EXACT_
> procedure for rebuilding/recoding/synergising the
openssl library in
> windows 8's C###. You have to do this because I told
you to, requested
> it of you, demanded it of you.
>
> Accusations such as "think of the code" or "learn
openssl by reading
> the code" etc will be forwarded to the Equal
Empolyment Oppourtunity
> Commission.
>
> Furthermore I am aware that you opensource coders are
all a buch of
> mysoginist sexists; for the most part you are all
_men_. The EEOC is
> going to hear of THAT aswell.
>
> Period.
> Slash
>
Normally I do not react, but this message must be written
by a child,
looking by the many spelling errors. So who can take this
person
seriously? 'It' clearly has no clue about the real world.
Or is it an
attempt to gobble up bandwidth on the Internet? In which
case it
succeeded moderately.

Frans.

__
OpenSSL Project

 http://www.openssl.org
User Support Mailing List
  openssl-users@openssl.org
Automated List Manager

   majord...@openssl.org






__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Bind Jamming Port

2009-04-16 Thread Nikos Balkanas 
Hi,

Sounds like you are not closing the port when exiting. If you do a netstat what 
state do you see ? CLOSE_WAIT?

BR,
Nikos
  - Original Message - 
  From: Michael Lawson (mshindo) 
  To: openssl-users@openssl.org 
  Sent: Thursday, April 16, 2009 2:04 PM
  Subject: Bind Jamming Port


  Hey Guys,

  I have an application that creates using the openssl libraries under linux a 
encrypted server. This works perfectly apart from one small bug, whenever I 
close the application, either deliberately or though an unexpected error the 
port becomes locked(I get bind errors if I try and start the server again) for 
a time period, sometime spanning up to 10 minutes. 

  Is there something I am missing or something I can do to stop this from 
happening?

  -- 
  Michael

Re: apache http server not connecting to correct open ssl --urgent help needed

2009-04-03 Thread Nikos Balkanas 

I see your problem:

Do the following with your correct LD_LIBRARY_PATH:

echo $LD_LIBRARY_PATH
ldd 

and post results

Nikos

- Original Message - 
From: "Srinivas Jonnalagadda" 

To: ; 
Cc: 
Sent: Friday, April 03, 2009 7:09 PM
Subject: Re: apache http server not connecting to correct open ssl --urgent 
help needed




hi nikos,

Thanks fo rthe information. i tried you idea but still when i restart i 
get the following message. any more information is highly appreciated. My 
LDPATH has been set to the following:

LD_LIBRARY_PATH="/usr/local/openssl098i/lib:/apps/opt/apache2/lib:$LD_LIBRARY_PATH"
export LD_LIBRARY_PATH


[Fri Apr 03 12:00:38 2009] [warn] Init: Session Cache is not configured 
[hint: SSLSessionCache]
[Fri Apr 03 12:00:38 2009] [notice] Digest: generating secret for digest 
authentication ...

[Fri Apr 03 12:00:38 2009] [notice] Digest: done
[Fri Apr 03 12:00:41 2009] [notice] Apache/2.0.63 (Unix) mod_ssl/2.0.63 
OpenSSL/0.9.8b configured -- resuming normal operations


Thanks,
srinivas Jonnalagadda




-Original Message-

From: Nikos Balkanas 
Sent: Apr 3, 2009 7:11 AM
To: openssl-users@openssl.org
Cc: openssl-...@openssl.org
Subject: Re: apache http server not connecting to correct open 
ssl --urgent help needed


Hi,

I imagine you are using a Solaris 10 machine. You also need to load
different versions of the same library. You need to set the correct
LD_LIBRARY_PATH. For 2.0.55 include in the LD_LIBARY_PATH your 0.9.8b
libraries (libssl, libcrypto). For the 2.0.63 include your 0.9.8i 
libraries

path (/usr/local/openssl098i/lib).

Best way is to create 2 scripts (start55, start63) that set up your
LD_LIBRARY_PATH correctly.

BR,
Nikos
- Original Message - 
From: "The Doctor" 

To: 
Cc: 
Sent: Friday, April 03, 2009 1:01 AM
Subject: Re: apache http server not connecting to correct open 
ssl --urgent

help needed



On Thu, Apr 02, 2009 at 05:20:30PM -0400, Srinivas Jonnalagadda wrote:

Hi,

I have openssl 0.9.8b installed with apache http server 2.0.55 on 
sloariz

machine. when i installed i used the /usr/local/ssl as prefix and i did
not use shared threads option. I was able to install successfully. On 
the

same machine i installed openssl 0.9.8i in /usr/local/openssl098i
directory and used the shared threads option. i installed apache http
2.0.63 on the same machine and when i installed i gave prefix as
/usr/local/openssl098i. my intention was tht when i start apache http
2.0.63 i should use /usr/local/openssl098i and when is start apache 
http

server 2.0.55 i should use  /usr/local/ssl. My problem now is when i
start both are connecting to openssl 0.9.8b. Please tell me how to
connect to both.





You need to make slight modifications to the Apache code!

Instead of STACK you need to specify STACK_OF( ).


Thanks,
Srinivas Jonnalagadda
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


--
Member - Liberal International This is doc...@nl2k.ab.ca
Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Point to http://tv.cityonahillproductions.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: apache http server not connecting to correct open ssl --urgent help needed

2009-04-03 Thread Nikos Balkanas 

Hi,

I imagine you are using a Solaris 10 machine. You also need to load 
different versions of the same library. You need to set the correct 
LD_LIBRARY_PATH. For 2.0.55 include in the LD_LIBARY_PATH your 0.9.8b 
libraries (libssl, libcrypto). For the 2.0.63 include your 0.9.8i libraries 
path (/usr/local/openssl098i/lib).


Best way is to create 2 scripts (start55, start63) that set up your 
LD_LIBRARY_PATH correctly.


BR,
Nikos
- Original Message - 
From: "The Doctor" 

To: 
Cc: 
Sent: Friday, April 03, 2009 1:01 AM
Subject: Re: apache http server not connecting to correct open ssl --urgent 
help needed




On Thu, Apr 02, 2009 at 05:20:30PM -0400, Srinivas Jonnalagadda wrote:

Hi,

I have openssl 0.9.8b installed with apache http server 2.0.55 on sloariz 
machine. when i installed i used the /usr/local/ssl as prefix and i did 
not use shared threads option. I was able to install successfully. On the 
same machine i installed openssl 0.9.8i in /usr/local/openssl098i 
directory and used the shared threads option. i installed apache http 
2.0.63 on the same machine and when i installed i gave prefix as 
/usr/local/openssl098i. my intention was tht when i start apache http 
2.0.63 i should use /usr/local/openssl098i and when is start apache http 
server 2.0.55 i should use  /usr/local/ssl. My problem now is when i 
start both are connecting to openssl 0.9.8b. Please tell me how to 
connect to both.






You need to make slight modifications to the Apache code!

Instead of STACK you need to specify STACK_OF( ).


Thanks,
Srinivas Jonnalagadda
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


--
Member - Liberal International This is doc...@nl2k.ab.ca
Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Point to http://tv.cityonahillproductions.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_write problem

2009-03-30 Thread Nikos Balkanas 

Hi,

Thanx for the quick response. Unfortunately the same problem persists:

void conn_init_ssl(void)
{
   SSL_library_init();
   SSL_load_error_strings();
   global_ssl_context = SSL_CTX_new(SSLv23_client_method());
   SSL_CTX_set_mode(global_ssl_context,.
   SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
 | SSL_MODE_AUTO_RETRY);
}

Any ideas? What should the underlying socket be blocking/not blocking? Can I 
have at the same time non-blocking read and blocking write?


BR,
Nikos

- Original Message - 
From: "Kyle Hamilton" 

To: 
Sent: Tuesday, March 31, 2009 3:13 AM
Subject: Re: SSL_write problem



SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);

2009/3/30 Nikos Balkanas :

Hi,

I would like to ideally use non-blocking SSL_read and blocking SSL_write. 
Is

this possible with BIO_set_nbio? What should the underlying socket be in
that case?

If this is not possible, as I suspect, i have the problem that the
non-blocking SSL_write with select, will stallΒ afterΒ first SSL_error of
SSL_ERROR_WANT_READ || SSL_ERROR_WANT_WRITE without ever writing the 
data:


while(((select(fd + 1, NULL, &rset, NULL, &alarm)) > 0) && FD_ISSET(fd,
&rset))
{
Β Β Β Β Β res = SSL_write(ssl, input, len);
Β Β Β Β Β if (res == -1)
Β Β Β Β Β {
Β Β Β Β Β Β Β Β Β Β Β Β Β Β SSL_error = SSL_get_error(ssl, res);
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β printf("SSL_error = %d\n", SSL_error);
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β if (SSL_error != SSL_ERROR_WANT_READ && 
SSL_error !=

SSL_ERROR_WANT_WRITE)
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β return(-1);
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β else FD_CLR(fd, &rset);
Β Β Β Β Β Β }
Β Β Β Β Β Β else return(res);
}

My only solution so far has been to use the non-blocking SSL_write as a
blocking one, but it is terribly inefficient, looping as many as 50
timesΒ before writing the data:

while((ret = SSL_write(ssl, request->data, request->len)) < 0)
{
Β Β Β Β Β Β Β SSL_error = SSL_get_error(ssl, ret);
Β Β Β Β Β Β Β Β if (SSL_error != SSL_ERROR_WANT_READ && SSL_error !=
SSL_ERROR_WANT_WRITE)
Β Β Β Β Β Β Β Β Β Β Β Β Β Β break;
Β Β Β Β Β Β Β Β thr_yield();
}

Any ideas?
TIA, Nikos


:I®r¶Γ¥²�­¦1��¥²z¥²€Άy²�®Ά�z– 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

SSL_write problem

2009-03-30 Thread Nikos Balkanas 
Hi,

I would like to ideally use non-blocking SSL_read and blocking SSL_write. Is 
this possible with BIO_set_nbio? What should the underlying socket be in that 
case?

If this is not possible, as I suspect, i have the problem that the non-blocking 
SSL_write with select, will stall after first SSL_error of SSL_ERROR_WANT_READ 
|| SSL_ERROR_WANT_WRITE without ever writing the data: 

while(((select(fd + 1, NULL, &rset, NULL, &alarm)) > 0) && FD_ISSET(fd, &rset))
{
  res = SSL_write(ssl, input, len);
  if (res == -1)
  {
   SSL_error = SSL_get_error(ssl, res);
printf("SSL_error = %d\n", SSL_error);
if (SSL_error != SSL_ERROR_WANT_READ && SSL_error != 
SSL_ERROR_WANT_WRITE)
return(-1);
else FD_CLR(fd, &rset);
   }
   else return(res);
}

My only solution so far has been to use the non-blocking SSL_write as a 
blocking one, but it is terribly inefficient, looping as many as 50 times 
before writing the data:

while((ret = SSL_write(ssl, request->data, request->len)) < 0)
{
SSL_error = SSL_get_error(ssl, ret);
if (SSL_error != SSL_ERROR_WANT_READ && SSL_error != 
SSL_ERROR_WANT_WRITE)
   break;
thr_yield();
}

Any ideas?
TIA, Nikos

Re: Linking with mingw on Windows

2009-03-10 Thread Nikos Balkanas 
Hi,

RSA_new is defined in libcrypto. It is obviously not defined in libeay32. You 
can check it with "nm libeay32.a | grep RSA_new". Then you should probably get 
a good copy of libcrypto.

BR,
Nikos
  - Original Message - 
  From: Kenneth Goldman 
  To: openssl-users@openssl.org 
  Sent: Monday, March 09, 2009 8:26 PM
  Subject: Linking with mingw on Windows


  What's the linker format when using [gcc / mingw] on Windows?
  I am not using cygwin!

  I assume I should use the libraries in .../OpenSSL/lib/MinGW,
  but maybe not.

  I've tried 
  -leay32
  -L"C:/program files/openssl/lib/mingw/libeay32.a"
  and even
  copying libeay32.a to libcrypto.a and
  -lcrypto

  I've linked in ssleay32.a as well. It's seeing the library file,
  because I get a file not found error if I spell the library name
  incorrectly. But it's not finding the functions.

  For all cases, I get errors of the form:

  c:107: undefined reference to `RSA_new'

  for all openssl function calls.

  --
  Ken Goldman kg...@watson.ibm.com 
  914-784-7646 (863-7646)

DES_CBC_40 question

2009-03-08 Thread Nikos Balkanas 

Hi,

I have implemented DES_CBC encryption/decryption. I would like now to 
include also support for

DES_CBC_40. Code is in C and I  am using the des_ncbc_encrypt function.

I imagine the same function can be used for the 40 bit version. What changes 
are needed to do this? Is there a place with the relevant documentation?


Thanx,
Nikos 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: des_ncbc_encrypt question

2009-03-08 Thread Nikos Balkanas 

Dear Bill,

Thank you very much for your quick reponse, on Sunday night!

Indeed I had read this part, but couldn't make much of it. It took me a 
while to rewrite the code, but eventually everything looks fine!


BR,
Nikos



- Original Message - 
From: "Bill Colvin" 

To: 
Sent: Sunday, March 08, 2009 9:11 PM
Subject: RE: des_ncbc_encrypt question


I suggest you carefully read the following function description paying 
close attention to length.


DES_ncbc_encrypt() encrypts/decrypts using the cipher-block-chaining (CBC) 
mode of DES. If the encrypt argument is non-zero, the routine 
cipher-block-chain encrypts the cleartext data pointed to by the input 
argument into the ciphertext pointed to by the output argument, using the 
key schedule provided by the schedule argument, and initialization vector 
provided by the ivec argument. If the length argument is not an integral 
multiple of eight bytes, the last block is copied to a temporary area and 
zero filled. The output is always an integral multiple of eight bytes.


Bill

-Original Message-
From: owner-openssl-us...@openssl.org 
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Nikos Balkanas

Sent: March 8, 2009 1:20 PM
To: openssl-users@openssl.org
Subject: des_ncbc_encrypt question

Hi,

I am using des_ncbc_encrypt to encrypt/decrypt packages in a server/client
architecture (CBC mode). When I test encryption/decryption from within the
server I get everything decrypted OK, except the last 4 bytes. However, 
this

is enough for the client to reject the packet. I am using the following
code:

uchar * output;
des_key_schedule des_ks;
des_cblock des_key, des_iv;

memcpy(des_iv, iv, sizeof(des_iv));
memcpy(des_key, server_write_enc_key, sizeof(des_key));
des_set_odd_parity(&des_key);
if (des_set_key_checked(&des_key, des_ks))
{
   error(0, "wtls_des: Unable to set key schedule");
   return(NULL);
}
output = (uchar *)gw_malloc((len + 1)* sizeof(uchar));
des_ncbc_encrypt(data, output, len, des_ks, &des_iv, crypt);

where crypt takes the values DES_ENCRYPT or DES_DECRYPT.


(gdb) p data + 1640
$11 = (
   unsigned char *) 0x75f700
"*ξΥΰl:=8υ\n\236\236π\006\006\006\006\006\006\006"
(gdb) p output + 1640
$15 = (uchar *) 0x75e6f0 "Yy�6ΰ�'\216―L�kφ\033\232’)«Ε\233"

Decrypting output through another call to the same function (everything 
gets

reinitialized) I get:

(gdb) p data + 1640
$22 = (unsigned char *) 0x760710 
"Yy�6ΰ�'\216―L�kφ\033\232’)«Ε\233" (OK)

(gdb) p output + 1640
$24 = (uchar *) 0x75c6d0 "*ξΥΰl:=8υ\n\236\236π\006\006\006(VχR" (??)

Everything is fine except for the trailing "(VχR". Any ideas or pointers 
of

what is wrong, would be greatly appreciated.

Thanx,
Nikos Balkanas






__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
:I®r¶Γ¥²�­¦1��¥²z¥²€Άy²�®Ά�z– 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

des_ncbc_encrypt question

2009-03-08 Thread Nikos Balkanas 

Hi,

I am using des_ncbc_encrypt to encrypt/decrypt packages in a server/client 
architecture (CBC mode). When I test encryption/decryption from within the 
server I get everything decrypted OK, except the last 4 bytes. However, this 
is enough for the client to reject the packet. I am using the following 
code:


uchar * output;
des_key_schedule des_ks;
des_cblock des_key, des_iv;

memcpy(des_iv, iv, sizeof(des_iv));
memcpy(des_key, server_write_enc_key, sizeof(des_key));
des_set_odd_parity(&des_key);
if (des_set_key_checked(&des_key, des_ks))
{
   error(0, "wtls_des: Unable to set key schedule");
   return(NULL);
}
output = (uchar *)gw_malloc((len + 1)* sizeof(uchar));
des_ncbc_encrypt(data, output, len, des_ks, &des_iv, crypt);

where crypt takes the values DES_ENCRYPT or DES_DECRYPT.


(gdb) p data + 1640
$11 = (
   unsigned char *) 0x75f700 
"*ξΥΰl:=8υ\n\236\236π\006\006\006\006\006\006\006"

(gdb) p output + 1640
$15 = (uchar *) 0x75e6f0 "YyΚ6ΰ�'\216―LΊkφ\033\232’)«Ε\233"

Decrypting output through another call to the same function (everything gets 
reinitialized) I get:


(gdb) p data + 1640
$22 = (unsigned char *) 0x760710 "YyΚ6ΰ�'\216―LΊkφ\033\232’)«Ε\233" (OK)
(gdb) p output + 1640
$24 = (uchar *) 0x75c6d0 "*ξΥΰl:=8υ\n\236\236π\006\006\006(VχR" (??)

Everything is fine except for the trailing "(VχR". Any ideas or pointers of 
what is wrong, would be greatly appreciated.


Thanx,
Nikos Balkanas






__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org