Re: [openssl-users] OpenSSL Dragino Yun Issues

[Nikola Milev]

Matt,

The suggested workaround seems to be working. I say "seems to be" because I
have only tested it a little. it was tested using openssl s_client. Also, I
suppose this doesn't present a security breach?

Of course, if anyone manages to locate the origin of the issue, I would
like to hear from them.

Resent the mail so that everyone else can see it.

Best regards,

Nikola Milev

On Sep 2, 2016 11:31 AM, "Matt Caswell"  wrote:

>
>
> On 02/09/16 10:16, Nikola Milev wrote:
> > Matt,
> >
> > I am not sure I understand.
> >
> > acc = BIO_new_accept(PORT);
> >
> >
> > BIO_set_bind_mode(acc, BIO_BIND_REUSEADDR_IF_UNUSED);
> > if(!acc)
> > {
> > server_error_("Error creating server socket");
> > }
> > if (BIO_do_accept(acc) <= 0)
> > {
> >server_error_("Error binding server socket");
> > }
> >
> > Looking at this chunk of code, I am a bit confused. Is not the socket
> > created with BIO in BIO_new_accept() call?
> >
> > Am I supposed to create acc BIO using the socket(), then
> > BIO_new_socket(), then BIO_set_port() and, afterwards, omit the first
> > BIO_do_accept() call?
>
> I'm suggesting you don't use BIO for that piece of your code. Just do
> regular "socket", "bind", "listen" and "accept" calls like you had in
> your simple server code. In that code you had a variable "connfd" which
> represented the incoming connection file descriptor. You can then wrap
> that "connfd" in a BIO:
>
> bio = BIO_new(BIO_s_socket());
>
> if (bio == NULL) {
> goto err;
> }
> BIO_set_fd(bio, connfd, BIO_NOCLOSE);
>
> Now you can just set that BIO on the SSL object:
>
> SSL_set_bio(ssl, bio, bio);
>
>
> Matt
>
>
> >
> >
> > On Sep 2, 2016 10:32 AM, "Matt Caswell"  > > wrote:
> >
> >
> >
> > On 02/09/16 09:15, Nikola Milev wrote:
> > > Matt,
> > >
> > > I have not compiled it myself. Compiling simpler applications for
> my
> > > Dragino Yun shield is complicated enough.
> > >
> > > One thing that did come to mind was: could the cross compilation
> for
> > > Dragino be messing with the program in any way? Also quite new in
> > all of it.
> >
> >
> > Possibly, but I'm not familiar with Dragino so I can't really
> comment.
> >
> > >
> > > Back to OpenSSL, are there any additional settings that could have
> > > caused the error?
> >
> > None that spring to mind.
> >
> > >
> > > Also, I have a question about this issue on Stack Overflow. If we
> > > resolve the issue, I think it would be good to post it there as an
> > > answer, if you agree.
> >
> > Sure.
> >
> > If you are unable to compile OpenSSL and it doesn't have debugging
> > symbols then its going to be difficult to take the diagnosis of this
> > problem much further.
> >
> > An alternative solution for you might be a "workaround". Rather than
> > calling BIO_do_accept(), you could create the socket yourself
> directly
> > (i.e. not using the BIO calls). Once you have the have the socket
> file
> > descriptor you can create a BIO from it using BIO_new_socket().
> >
> > Matt
> >
> >
> > > Best regards,
> > > Nikola
> > >
> > >
> > > On Sep 2, 2016 9:51 AM, "Matt Caswell"  > 
> > > >> wrote:
> > >
> > >
> > >
> > > On 01/09/16 12:36, Nikola Milev wrote:
> > > > listenfd = socket (AF_INET, SOCK_STREAM, PROTOCOL);
> > > > if(listenfd < 0)
> > > > {
> > > > exit_msg("socket() error");
> > > > }
> > >
> > > The fact that this worked suggests that maybe we aren't
> > sending what we
> > > think we are sending as the parameters to the equivalent
> > socket call in
> > > OpenSSL. Either that or something really weird is happening
> > that causes
> > > it to fail when called from OpenSSL, but not from a standalone
> > program!!
> > >
> > > Did you compile OpenSSL yourself, or are you using pre-built
> > binaries?
> > > If you compiled it yourself then I could provide you with a
> > small patch
> > > to instrument the code to figure out what parameters are being
> > sent to
> > > "socket"...either that or you could take a look at it in a
> > debugger if
> > > it has been compiled with debugging symbols.
> > >
> > > Matt
> > >
> >
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL Dragino Yun Issues

[Matt Caswell]

On 02/09/16 09:15, Nikola Milev wrote:
> Matt,
> 
> I have not compiled it myself. Compiling simpler applications for my
> Dragino Yun shield is complicated enough.
> 
> One thing that did come to mind was: could the cross compilation for
> Dragino be messing with the program in any way? Also quite new in all of it.


Possibly, but I'm not familiar with Dragino so I can't really comment.

> 
> Back to OpenSSL, are there any additional settings that could have
> caused the error?

None that spring to mind.

> 
> Also, I have a question about this issue on Stack Overflow. If we
> resolve the issue, I think it would be good to post it there as an
> answer, if you agree.

Sure.

If you are unable to compile OpenSSL and it doesn't have debugging
symbols then its going to be difficult to take the diagnosis of this
problem much further.

An alternative solution for you might be a "workaround". Rather than
calling BIO_do_accept(), you could create the socket yourself directly
(i.e. not using the BIO calls). Once you have the have the socket file
descriptor you can create a BIO from it using BIO_new_socket().

Matt


> Best regards,
> Nikola
> 
> 
> On Sep 2, 2016 9:51 AM, "Matt Caswell"  > wrote:
> 
> 
> 
> On 01/09/16 12:36, Nikola Milev wrote:
> > listenfd = socket (AF_INET, SOCK_STREAM, PROTOCOL);
> > if(listenfd < 0)
> > {
> > exit_msg("socket() error");
> > }
> 
> The fact that this worked suggests that maybe we aren't sending what we
> think we are sending as the parameters to the equivalent socket call in
> OpenSSL. Either that or something really weird is happening that causes
> it to fail when called from OpenSSL, but not from a standalone program!!
> 
> Did you compile OpenSSL yourself, or are you using pre-built binaries?
> If you compiled it yourself then I could provide you with a small patch
> to instrument the code to figure out what parameters are being sent to
> "socket"...either that or you could take a look at it in a debugger if
> it has been compiled with debugging symbols.
> 
> Matt
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL Dragino Yun Issues

[Matt Caswell]

On 01/09/16 12:36, Nikola Milev wrote:
> listenfd = socket (AF_INET, SOCK_STREAM, PROTOCOL);
> if(listenfd < 0)
> {
> exit_msg("socket() error");
> }

The fact that this worked suggests that maybe we aren't sending what we
think we are sending as the parameters to the equivalent socket call in
OpenSSL. Either that or something really weird is happening that causes
it to fail when called from OpenSSL, but not from a standalone program!!

Did you compile OpenSSL yourself, or are you using pre-built binaries?
If you compiled it yourself then I could provide you with a small patch
to instrument the code to figure out what parameters are being sent to
"socket"...either that or you could take a look at it in a debugger if
it has been compiled with debugging symbols.

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL Dragino Yun Issues

[Nikola Milev]

Dear OpenSSL community,

I have, because of Matt's suggestion of the origin of error, written a
small C server that uses the same configuration and it works. Can someone
tell me what's going on?
The code is next (fully copied from my editor):

"#include
#include 
#include 
#include 
#include 
#include 
#include 

#define PROTOCOL IPPROTO_TCP
#define SERV_PORT 8080
#define LISTENQ 1
#define MAXLINE 100

void exit_msg(const char* msg) ;
void str_echo(int sockfd) ;
ssize_t writen(int fd, const void *vptr, size_t n) ;


int main(int argc, char **argv)
{
int listenfd, connfd;
pid_t   childpid;
socklen_t clilen;
struct sockaddr_in cliaddr, servaddr;
listenfd = socket (AF_INET, SOCK_STREAM, PROTOCOL);
if(listenfd < 0)
{
exit_msg("socket() error");
}
printf("Created socket!\n");
memset(, 0, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
servaddr.sin_port = htons (SERV_PORT);

if(bind(listenfd, (const struct sockaddr *) ,
sizeof(servaddr)) < 0)
{
exit_msg("bind() error");
}
printf("Binded port/socket!\n");

if(listen(listenfd, LISTENQ) < 0)
{
exit_msg("listen() error");
}
printf("Listening!\n");

while(1)
{
clilen = sizeof(cliaddr);
connfd = accept(listenfd, (struct sockaddr *) , );
if(connfd < 0)
{
exit_msg("accept() error");
}
printf("Accepted!\n");
str_echo(connfd);

close(connfd);
}
}

void str_echo(int sockfd)
{
ssize_t n;
char buf[MAXLINE];

while(1)
{
while ( (n = read(sockfd, buf, MAXLINE)) > 0)
{
writen(sockfd, buf, n);
buf[n]=0;
printf("Echoing %lu bytes: %s\n", n, buf);
}
if (n < 0 && errno == EINTR)
{
continue;
}
else if (n < 0)
{
exit_msg("read() failure");
}
else if(n==0)
{
printf("Client ended!\nListening!\n");
break;
}
}
}

ssize_t writen(int fd, const void *vptr, size_t n)
{
size_t nleft;
ssize_t nwritten;
const char *ptr;
ptr = vptr;
nleft = n;
while (nleft > 0)
{
if ( (nwritten = write(fd, ptr, nleft)) <= 0)
{
if (nwritten < 0 && errno == EINTR)
{
nwritten = 0;
}
else
{
return -1;
}
}
nleft -= nwritten;
ptr += nwritten;
}
return n;
}

void exit_msg(const char* msg)
{
perror(msg);
exit(EXIT_FAILURE);
}"

Best regards,
Nikola Milev

On 1 September 2016 at 00:16, Nikola Milev  wrote:

> To whom it may concern,
>
> I have been experiencing issues with OpenSSL and DraginoYun. If you are
> not the person I should have contacted, please redirect me. Thank you!
>
> Recently, I have tried using OpenSSL to establish a simple server
> application on Dragino Yun version 2.4. First, I tested the code on my Acer
> Aspire 5750ZG running Ubuntu 14.04 and it worked fine. Afterwards, I used
> OpenWrt SDK to cross-compile the application. However, the application is
> unable to bind the socket; the BIO_do_accept function fails. Here is the
> error stack the code provided:
> "2006783048:error:0200407C:lib(2):func(4):reason(124):NA:0:port='5354'
> 2006783048:error:20069076:lib(32):func(105):reason(118):NA:0:"
>
> errstr returned these as answers:
> "$ openssl errstr 0200407C
> error:0200407C:system library:socket:Wrong medium type
> $ openssl errstr 20069076
> error:20069076:BIO routines:BIO_get_accept_socket:unable to create socket
> "
> I suppose that the second one is a product of the first one.
>
> I have checked iptables and I have checked ports that are currently in
> use, all seems to be in order.
>
> However, the OpenSSL s_server (in combination with s_client on the other
> side) works fine.
> May this be an OpenSSL bug? If not, do you have any suggestions?
>
> OpenSSL version on Acer is 1.0.1f 6 Jan 2014 and on Dragino 1.0.1h 5 Jun
> 2014.
>
> In the attachment, I am providing the code(though I am not sure if it is
> available on the list), mostly taken from O'Reilly "Network Security with
> OpenSSL".
>
> All the passkeys are "raspberry". (these certificates and keys were
> generated for testing purposes)
>
> Of course, should you need any additional information, I'd be happy to
> provide it.
>
> I originally addressed Matt Caswell regarding the issue and I am pasting
> his response to my question and my response to that.
>
> His response:
> "Hello,
>
> I'm not really the best person to ask about such low level stuff. The
> best place to raise these questions is on the openssl-users email list.
> It also means any questions/answers are publicly archived and available
> for other users. Details are here:
>
> https://mta.openssl.org
>
> However, I did have a 

Re: [openssl-users] OpenSSL Dragino Yun Issues

[Matt Caswell]

On 31/08/16 23:16, Nikola Milev wrote:
> In other words the function that is failing is doing this:
> 
> socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)

It would be interesting to know whether a minimalist program that just
does the above successfully creates a socket or not.

If it does succeed then this might suggest my analysis is wrong, and the
socket call doesn't send the parameters that I think it does. If that's
the case then it would be interesting to try and figure out what it
actually sends.

If it fails then you have a non-OpenSSL issue to try and figure out.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL Dragino Yun Issues

[Nikola Milev]

To whom it may concern,

I have been experiencing issues with OpenSSL and DraginoYun. If you are not
the person I should have contacted, please redirect me. Thank you!

Recently, I have tried using OpenSSL to establish a simple server
application on Dragino Yun version 2.4. First, I tested the code on my Acer
Aspire 5750ZG running Ubuntu 14.04 and it worked fine. Afterwards, I used
OpenWrt SDK to cross-compile the application. However, the application is
unable to bind the socket; the BIO_do_accept function fails. Here is the
error stack the code provided:
"2006783048:error:0200407C:lib(2):func(4):reason(124):NA:0:port='5354'
2006783048:error:20069076:lib(32):func(105):reason(118):NA:0:"

errstr returned these as answers:
"$ openssl errstr 0200407C
error:0200407C:system library:socket:Wrong medium type
$ openssl errstr 20069076
error:20069076:BIO routines:BIO_get_accept_socket:unable to create socket
"
I suppose that the second one is a product of the first one.

I have checked iptables and I have checked ports that are currently in use,
all seems to be in order.

However, the OpenSSL s_server (in combination with s_client on the other
side) works fine.
May this be an OpenSSL bug? If not, do you have any suggestions?

OpenSSL version on Acer is 1.0.1f 6 Jan 2014 and on Dragino 1.0.1h 5 Jun
2014.

In the attachment, I am providing the code(though I am not sure if it is
available on the list), mostly taken from O'Reilly "Network Security with
OpenSSL".

All the passkeys are "raspberry". (these certificates and keys were
generated for testing purposes)

Of course, should you need any additional information, I'd be happy to
provide it.

I originally addressed Matt Caswell regarding the issue and I am pasting
his response to my question and my response to that.

His response:
"Hello,

I'm not really the best person to ask about such low level stuff. The
best place to raise these questions is on the openssl-users email list.
It also means any questions/answers are publicly archived and available
for other users. Details are here:

https://mta.openssl.org

However, I did have a quick look and discovered the following. The code
that raises this error looks like this:

s = socket(server.sa.sa_family, SOCK_STREAM, SOCKET_PROTOCOL);
if (s == INVALID_SOCKET) {
SYSerr(SYS_F_SOCKET, get_last_socket_error());
ERR_add_error_data(3, "port='", host, "'");
BIOerr(BIO_F_BIO_GET_ACCEPT_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET);
goto err;
}

So this is a call to the non-OpenSSL networking function "socket". In
this context "server.sa.sa_family" has been set to AF_INET a few lines
above, and "SOCKET_PROTOCOL" is a macro defined at the beginning of the
file as follows:

# define SOCKET_PROTOCOL IPPROTO_TCP

In other words the function that is failing is doing this:

socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)

This seems like a fairly fundamental failure, and might suggest that the
platform in question has no TCP/IP support available for some reason?"

My response to his:
"
Hi Matt,

The platform supports TCP/IP, if I deduced correctly. I have programmed an
application similar to the example in Unix Network Programming (a basic
TCP/IP echo server) and it works without any issues. Also, openssl s_server
works correctly; I tried using it with openssl s_client on the other
machine.
I will forward my question to the email list, including both of our
responses.
I am grateful for your quick response.

Best regards,
Nikola Milev

"

My original mail to him is almost the same as the first part of this mail.

I am thankful for you support!

Best regards,
Nikola Milev


src.tar.gz
Description: GNU Zip compressed data
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users