Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Richard Levitte
In message <571fccee.8010...@roumenpetrov.info> on Tue, 26 Apr 2016 23:17:50 +0300, Roumen Petrov said: openssl> Hello Richard, openssl> openssl> Richard Levitte wrote: openssl> > In message <571f2941.4040...@openssl.org> on Tue, 26 Apr 2016 09:39:29 openssl> > +0100, Matt Caswell said: opens

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-26 Thread Salz, Rich
This is the way GCM works. Perhaps you need something else, like CBC mode. Closing this ticket. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4521] openssl GCM ordering

2016-04-26 Thread Praveen Kariyanahalli
See inline. Look for Praveen. On Mon, Apr 25, 2016 at 7:20 PM, Brian Smith wrote: > Praveen Kariyanahalli via RT wrote: > >> Is there is a reason why openssl has restriction of auth before encrypt >> order ? I dont believe there is an algo restriction, was wondering why >> openssl has this. >>

Re: [openssl-dev] [openssl.org #4520] Camellia asm build failure for 1.1.0pre5 on Solaris (typo in build.info)

2016-04-26 Thread Andy Polyakov via RT
> The change > > https://github.com/openssl/openssl/commit/5384d1e4ebd58f31a06b2f5d1f6c4b28f63d72ed > > introduced a typo in the last line of file crypto/camellia/build.info. Fixed. Thanks for report. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4520 Please log in as guest wi

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Roumen Petrov
Hello Richard, Richard Levitte wrote: In message <571f2941.4040...@openssl.org> on Tue, 26 Apr 2016 09:39:29 +0100, Matt Caswell said: [SNIP] I've seen no other opinion, so I went with it. Would you mind having a look at GH#995? I did a bit of change in the docs, but could need some help ex

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Douglas E Engert
On 4/26/2016 1:20 PM, Salz, Rich wrote: Look. If Doug noticed this, programmers less intimate with this API are much more likely to get stung by it. The protection against such a misunderstanding is cheap. Is it? And what is that protection? Without introducing memory leaks. In RSA_set0_

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
On 4/26/16, 15:15 , "openssl-dev on behalf of Viktor Dukhovni" wrote: >On Tue, Apr 26, 2016 at 12:55:28PM -0500, Douglas E Engert wrote: >> Adding the test "if (n != rsa->n)" before the BN_free in the >>RSA_set0_key >> would catch this. > >The correct test is to return an error in that case, not

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Viktor Dukhovni
On Tue, Apr 26, 2016 at 12:55:28PM -0500, Douglas E Engert wrote: > Adding the test "if (n != rsa->n)" before the BN_free in the RSA_set0_key > would catch this. The correct test is to return an error in that case, not to skip the free. The caller is doing the wrong thing, and we should not sile

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
On 4/26/16, 14:20 , "openssl-dev on behalf of Salz, Rich" wrote: >> Look. If Doug noticed this, programmers less intimate with this API are >>much >> more likely to get stung by it. The protection against such a >>misunderstanding >> is cheap. > >Is it? I think it is. See Doug’s post. >And w

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Salz, Rich
> Look. If Doug noticed this, programmers less intimate with this API are much > more likely to get stung by it. The protection against such a misunderstanding > is cheap. Is it? And what is that protection? Without introducing memory leaks. -- openssl-dev mailing list To unsubscribe: https://

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
On 4/26/16, 14:03 , "openssl-dev on behalf of Salz, Rich via RT" wrote: >That code is still wrong. Once you "get0" something you can only look at >it. You cannot pass it off to a "set0" function. Get0 gives you a >pointer that *you do not own* and *set0* takes a pointer that you DO own >and ar

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Salz, Rich via RT
That code is still wrong. Once you "get0" something you can only look at it. You cannot pass it off to a "set0" function. Get0 gives you a pointer that *you do not own* and *set0* takes a pointer that you DO own and are giving away. You can't give away something that isn't yours :) The erro

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
On 4/26/16, 13:56 , "openssl-dev on behalf of Douglas E Engert" wrote: >... >RSA_get0_key(rsa, &my_n, &my_e, NULL); /* note this is a GET0 */ > >/* my_n now points to the BIGNUM as does rsa->n */ >/* my_e now points to the BIGNUM as does rsa->e */ > >/* other stuff done, such as calculating d */

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Douglas E Engert
OK there was an error in my example. The get needed 2 "&": RSA_get0_key(rsa, &my_n, &my_e, NULL); /* note this is a GET0 */ /* my_n now points to the BIGNUM as does rsa->n */ /* my_e now points to the BIGNUM as does rsa->e */ /* other stuff done, such as calculating d */ RSA_set0_key(rsa, my_

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Douglas E Engert
Yes, there was an error in my example, the first line should have read: RSA_get0_key(rsa, &n, &e, NULL); The rsa was created in a different routine, so n and e were already set. I am not the one freeing it is your RSA_set0_key that is doing the free. Adding the test "if (n != rsa->n)" before t

Re: [openssl-dev] SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

2016-04-26 Thread Viktor Dukhovni
> On Apr 25, 2016, at 11:18 PM, Alex Hultman wrote: > > Thanks for the answer. I actually found a working solution just a couple of > minutes after I posted but I still wanted to hear what you recommended. I > just did ssl->references++; and also the same on the attached BIO's before > SSL_se

[openssl-dev] Getting raw ASN1 data from X509 certificate

2016-04-26 Thread Kurt Roeckx
Hi, I'm working on a tool that checks various things related to X509 certificates. I want to check that the encoding is actually correct DER. With things like ASN1_TIME is seems easy to get to the raw data, it just seems to contain it. But when I try it with an ASN1_INTEGER it doesn't seem to c

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
On 4/26/16, 11:43 , "openssl-dev on behalf of Tomas Mraz" wrote: >On Út, 2016-04-26 at 10:16 -0500, Douglas E Engert wrote: >> Let me update my response. >> If I am reading GH#995 correctly it still has an issue if a user >> does: >> >> RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ >>

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Tomas Mraz
On Út, 2016-04-26 at 10:16 -0500, Douglas E Engert wrote: > Let me update my response. > If I am reading GH#995 correctly it still has an issue if a user > does: > > RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ > /* other stuff done, such as calculating d */ > RSA_set0_key(rsa, n, e, d

Re: [openssl-dev] SSL transfer connection (SSL_dup, SSL_up_ref, SSL_free)

2016-04-26 Thread Benjamin Kaduk
On 04/25/2016 10:18 PM, Alex Hultman wrote: > Hi Benjamin, > > Thanks for the answer. I actually found a working solution just a > couple of minutes after I posted but I still wanted to hear what you > recommended. I just did ssl->references++; and also the same on the > attached BIO's before SSL_s

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
On 4/26/16, 11:21 , "openssl-dev on behalf of Salz, Rich via RT" wrote: >> RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ >> /* other stuff done, such as calculating d */ >>RSA_set0_key(rsa, n, e, d); >> >> rsa is left with n and e pointing to unallocated storage. > >That code is incor

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Matt Caswell
On 26/04/16 16:16, Douglas E Engert wrote: > Let me update my response. > If I am reading GH#995 correctly it still has an issue if a user does: > > RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ > /* other stuff done, such as calculating d */ > RSA_set0_key(rsa, n, e, d); > > rsa is

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Salz, Rich via RT
> RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ > /* other stuff done, such as calculating d */ RSA_set0_key(rsa, n, e, d); > > rsa is left with n and e pointing to unallocated storage. That code is incorrect. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4518 Please

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Salz, Rich via RT
> I can live with it. > The only solution without some type of change was : > > RSA_set0_key(rsa, n, e, NULL); > /* other stuff done, such as calculating d */ > n_new = BN_dup(n); > e_new = BN_dup(e); > RSA_set0_key(rsa, n_new, e_new, d); > > It is really gross, and is no

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Douglas E Engert
Let me update my response. If I am reading GH#995 correctly it still has an issue if a user does: RSA_get0_key(rsa, n, e, NULL); /* note this is a GET0 */ /* other stuff done, such as calculating d */ RSA_set0_key(rsa, n, e, d); rsa is left with n and e pointing to unallocated storage. On 4/2

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Douglas E Engert
I can live with it. The only solution without some type of change was : RSA_set0_key(rsa, n, e, NULL); /* other stuff done, such as calculating d */ n_new = BN_dup(n); e_new = BN_dup(e); RSA_set0_key(rsa, n_new, e_new, d); It is really gross, and is not intuitive. Since you

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Tomas Mraz
On Út, 2016-04-26 at 13:46 +0200, Richard Levitte wrote: >  > I've seen no other opinion, so I went with it.  Would you mind having > a look at GH#995?  I did a bit of change in the docs, but could need > some help expressing it in a better manner. > > Also, I'd like to hear from Douglas and Tomas

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Blumenthal, Uri - 0553 - MITLL
IMO, go ahead. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.   Original Message   From: Richard Levitte Sent: Tuesday, April 26, 2016 07:46 To: openssl-dev@openssl.org Reply To: openssl-dev@openssl.org Subject: Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre

Re: [openssl-dev] [openssl.org #4519] [openssl.org bug #993] New bug report

2016-04-26 Thread Salz, Rich via RT
> Thanks for registering, when I can expect first your feedback on this bug? This is a mostly volunteer open source project. So hopefully soon is the best you can expect. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4519 Please log in as guest with password guest if prompted

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Richard Levitte
In message <571f2941.4040...@openssl.org> on Tue, 26 Apr 2016 09:39:29 +0100, Matt Caswell said: matt> matt> matt> On 26/04/16 08:26, Richard Levitte wrote: matt> > [temporarly taking this thread away from RT] matt> > matt> > Basically, I can see two solutions: matt> > matt> > - Allow calls

Re: [openssl-dev] digest SN_ecdsa_with_SHA256 and NID_ecdsa_with_SHA256

2016-04-26 Thread EXT
Hi, I've asked my colleague to try this solution and it worked. I've seen, that the file "m_ecsda.c" had been removed from the source tree. Since my changes are based on this file, I assume, that my patch is not necessary. Once again, thanks for your help. BTW: We get the signature not with

Re: [openssl-dev] [openssl.org #4519] [openssl.org bug #993] New bug report

2016-04-26 Thread Jaan Murumets via RT
Thanks for registering, when I can expect first your feedback on this bug? -Original Message- From: Salz, Rich via RT [mailto:r...@openssl.org] Sent: Monday, April 25, 2016 6:38 PM To: Jaan Murumets Cc: openssl-dev@openssl.org Subject: RE: [openssl-dev] [openssl.org #4519] [openssl.org b

Re: [openssl-dev] digest SN_ecdsa_with_SHA256 and NID_ecdsa_with_SHA256

2016-04-26 Thread Matt Caswell
On 26/04/16 10:39, Gäckler Martin (EXT) wrote: > Hi Matt, > > Thanks for the reply. According to my colleague the PHP function > opens_verify uses EVP_get_digestbyname to retrieve the EVP_MD. This > does not work for the digest name "ecdsa-with-SHA256". Hmmm. No. Well "ecdsa-with-SHA256" is not

[openssl-dev] Fwd: Building Openssl for Universal Windows Platform

2016-04-26 Thread salman khan
Hi, I'm trying to build Openssl as a static library and use it in my projects. Have you guys put any thought to port the Openssl library to UWP(Universal Windows 10 Platform)? Can you provide me any guidelines or useful information that i can use to port the libraries unless ported already? Any

Re: [openssl-dev] digest SN_ecdsa_with_SHA256 and NID_ecdsa_with_SHA256

2016-04-26 Thread EXT
Hi Matt, Thanks for the reply. According to my colleague the PHP function opens_verify uses EVP_get_digestbyname to retrieve the EVP_MD. This does not work for the digest name "ecdsa-with-SHA256". Nevertheless, I will try to create a new branch. Thanks again. Martin -Original Message--

Re: [openssl-dev] digest SN_ecdsa_with_SHA256 and NID_ecdsa_with_SHA256

2016-04-26 Thread Matt Caswell
On 26/04/16 09:43, Gäckler Martin (EXT) wrote: > We’re currently developing a system that uses OAuth protocol to identify > the users. The service provider is developed in PHP and uses OpenSSL to > verify the access token. Unfortunately the identity provider, which is > managed by another company

[openssl-dev] digest SN_ecdsa_with_SHA256 and NID_ecdsa_with_SHA256

2016-04-26 Thread EXT
Hello, We're currently developing a system that uses OAuth protocol to identify the users. The service provider is developed in PHP and uses OpenSSL to verify the access token. Unfortunately the identity provider, which is managed by another company, uses ecdsa with sha256 to sign the access to

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Matt Caswell
On 26/04/16 08:26, Richard Levitte wrote: > [temporarly taking this thread away from RT] > > Basically, I can see two solutions: > > - Allow calls like RSA_set0_key(rsa, NULL, NULL, d); > > That's what's implemented in GH#995, except it doesn't check if the > input parameters are NULL befo

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

2016-04-26 Thread Richard Levitte
[temporarly taking this thread away from RT] Basically, I can see two solutions: - Allow calls like RSA_set0_key(rsa, NULL, NULL, d); That's what's implemented in GH#995, except it doesn't check if the input parameters are NULL before setting the corresponding fields, so that call ends up