Development of OpenSSL

Brett Stone-Gross via RT | 1 Aug 2010 15:28

[openssl.org #2313] [PATCH] rsa_oaep.c additional error checking for EVP_DIGEST function calls in PKCS1_MGF1

Hi,  we would like to submit this patch that adds additional error checking for the PKCS1_MGF1 function that
makes calls to EVP_DIGEST functions, and does not check any of the return values.

Regards,
-Brett

Hi, we would like to submit this patch that adds additional error checking for the PKCS1_MGF1 function that makes calls to EVP_DIGEST functions, and does not check any of the return values.

Regards,

-Brett

Attachment (rsa_oaep.patch): application/octet-stream, 882 bytes

headers

Ladar Levison | 1 Aug 2010 15:46

RE: ECIES for openssl

>
> I have implemented ECIES (Elliptic Curve Integrated Encryption Scheme)
> for OpenSSL. The code include ASN.1 encoding compatible with SEC1:
> Elliptic Curve Cryptography version 2.0
> (http://www.secg.org/download/aid-780/sec1-v2.pdf), X9.63 KDF, OpenSSL
> ERR mechanism.
>
>    

Hi Zhi,

I'm investigating the possibility of updating my piecemeal ECIES 
implementation that currently builds on libgcrypt to use OpenSSL 
instead, since I already rely heavily on OpenSSL for SSL/TLS and its 
ciphers. I was hoping you could send me your ECIES code as a starting 
point?

TIA,
Ladar

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Markus Hofer | 2 Aug 2010 11:08

Building openssl without RSA,DSA,DH errors - bug?

Hi

I already mentioned this in the opensssl-users maling list. Is it possible to build openssl without RSA,DA
and DH support? Doing so i got erros like

 ./config --prefix=/home_vie/mhofer/tmp_opensslscratch 
 --openssldir=/home_vie/mhofer/tmp_opensslscratch/openssl no-threads no-zlib 
 no-shared no-bf no-cast no-des no-md2 no-mdc2 no-rc2 no-rc4 no-rc5 no-rsa 
 no-dsa no-dh; make depend; make

 the build crashes with:

 gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium 
 -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall 
 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM 
 -DRMD160_ASM -DAES_ASM   -c -o eng_cnf.o eng_cnf.c
> gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium 
 -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall 
 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM 
 -DRMD160_ASM -DAES_ASM   -c -o eng_dyn.o eng_dyn.c
 gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium 
 -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall 
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM 
-DRMD160_ASM -DAES_ASM   -c -o eng_cryptodev.o eng_cryptodev.c
 In file included from eng_cryptodev.c:33:
 ../../include/openssl/dsa.h:71:2: error: #error DSA is disabled.
 In file included from eng_cryptodev.c:34:
 ../../include/openssl/rsa.h:74:2: error: #error RSA is disabled.
 In file included from eng_cryptodev.c:35:
 ../../include/openssl/dh.h:65:3: error: #error DH is disabled.

(Continue reading)

headers

Johnson, Donald K | 2 Aug 2010 20:36

Engine support for enabling Intel Atom Security (SEP) processor

Hello,
I am starting to work on development of an openssl engine
to enable access to the security processor, for Intel Atom
chipsets.

Is this the right forum for asking design questions, and
submitting patches?

Thank you,

Don Johnson
Ultra-Mobility Group
Intel Corporation
Office: 503-712-9898
donald.k.johnson <at> intel.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Patrick Patterson | 2 Aug 2010 20:52

Re: how to disable weak SSL ciphers?

On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing 
at Cisco) wrote:
> Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak
> SSL ciphers on my test server:
> 
> 
> 
> NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
> 
> NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
> 
> 
> 
> What configure options do I specify to rebuild openssl to compile out
> these weak SSL ciphers?
> 
> Specifying no-md5 should disable required ciphers such as RC4-MD5, which
> I do not want to do.
> 
> Is there an openssl config file or runtime tool to disable all ciphers
> with Enc=None?
> 
Don't rebuild OpenSSL - configure your application to only use ciphers that 
comply with whatever security requirements you have. If this is Apache, you 
can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If 
you wrote the application, then prior to accepting any connections, use the  
SSL_CTX_set_cipher_list() function to set everything up the way you want.

Have fun!

(Continue reading)

headers

Jeff Davey | 3 Aug 2010 00:09

OpenSSL 0.9.8o compile error with no-comp option

Using ./config no-comp I get a symbol not found:

lib/openssl/scons-lib/libcrypto.a(err_all.o): In function `ERR_load_crypto_strings':

err_all.c:(.text+0x8f): undefined reference to `ERR_load_COMP_strings'

collect2: ld returned 1 exit status

Here's a patch to fix it:

--- openssl-0.9.8o/crypto/err/err_all.c 2009-08-09 07:51:56.000000000 -0700

+++ openssl/crypto/err/err_all.c 2010-08-02 15:04:32.000000000 -0700

#ifndef OPENSSL_NO_JPAKE

ERR_load_JPAKE_strings();

#endif

+#ifndef OPENSSL_NO_COMP

ERR_load_COMP_strings();

#endif

+#endif

}

headers

aerowolf | 3 Aug 2010 05:17

Re: how to disable weak SSL ciphers?

You need '!aNULL:!eNULL:!LOW:!SSLv2:!EXPORT:!EXPORT56:FIPS:MEDIUM:HIGH: <at> STRENGTH" as the
argument to SSL_CTX_set_cipher_list().

You can't get rid of MD5, as *everything* requires it.  If you get rid of it, TLS v1.0 won't work, SSLv3 won't
work, and I don't even know about the TLS v1.1 stuff that's going into (appropriately) OpenSSL v1.1 (and
backported to v1.0.1).

(Can we get TLS v1.2 in v1.2, and then start numbering based on the version of the protocol it speaks? ;) )

-Kyle H

On Mon, Aug 2, 2010 at 11:52 AM, Patrick Patterson <ppatterson <at> carillonis.com> wrote:
> On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing
> at Cisco) wrote:
>> Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak
>> SSL ciphers on my test server:
>>
>>
>>
>> NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
>>
>> NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
>>
>>
>>
>> What configure options do I specify to rebuild openssl to compile out
>> these weak SSL ciphers?
>>
>> Specifying no-md5 should disable required ciphers such as RC4-MD5, which
>> I do not want to do.
>>
>> Is there an openssl config file or runtime tool to disable all ciphers
>> with Enc=None?
>>
> Don't rebuild OpenSSL - configure your application to only use ciphers that
> comply with whatever security requirements you have. If this is Apache, you
> can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If
> you wrote the application, then prior to accepting any connections, use the
> SSL_CTX_set_cipher_list() function to set everything up the way you want.
>
> Have fun!
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca

> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org

> Development Mailing List                       openssl-dev <at> openssl.org
> Automated List Manager                           majordomo <at> openssl.org
>

Attachment (smime.p7s): application/pkcs7-signature, 3930 bytes

headers

Darryl Miles | 3 Aug 2010 12:52

Re: Engine support for enabling Intel Atom Security (SEP) processor

Johnson, Donald K wrote:
> Is this the right forum for asking design questions, and
> submitting patches?

Sure.

Patches are prefered to be submitted with ticket at RT 
http://www.openssl.org/support/rt.html  (even if documentation still 
says to use the mailing-list).

Can you cite any online references for the "SEP" and the scope of things 
you are looking into ?  (I have an interest in the MeeGo project myself)

Which things describe what "SEP" is ?

  * SIMD optimizations (AES instructions, OpenSSL asm optimizations)
  * Trusted Execution Technology (TPM/TXT)
  * Hardware asynchronous crypto offloading/coprocessor (OpenSSL Engine)
  * Something else

Darryl
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Tim Cloud | 3 Aug 2010 14:53

RE: how to disable weak SSL ciphers?

So, I have a question for this group as well, but it's in regards to this same issue.
What if you didn't write the application, and using the SSLCipherSuite is not an option as it's not running Apache?
Can someone just compile the FIPS compliant version of OpenSSL which should only allow strong ciphers?

Timothy Cloud
MSPRC Database Manager
Chickasaw Nation Industries

-----Original Message-----
From: owner-openssl-dev <at> openssl.org [mailto:owner-openssl-dev <at> openssl.org] On Behalf Of Patrick Patterson
Sent: Monday, August 02, 2010 1:52 PM
To: openssl-dev <at> openssl.org
Subject: Re: how to disable weak SSL ciphers?

On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing 
at Cisco) wrote:
> Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak
> SSL ciphers on my test server:
> 
> 
> 
> NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
> 
> NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
> 
> 
> 
> What configure options do I specify to rebuild openssl to compile out
> these weak SSL ciphers?
> 
> Specifying no-md5 should disable required ciphers such as RC4-MD5, which
> I do not want to do.
> 
> Is there an openssl config file or runtime tool to disable all ciphers
> with Enc=None?
> 
Don't rebuild OpenSSL - configure your application to only use ciphers that 
comply with whatever security requirements you have. If this is Apache, you 
can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If 
you wrote the application, then prior to accepting any connections, use the  
SSL_CTX_set_cipher_list() function to set everything up the way you want.

Have fun!

-- 
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

---------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain
information that is privileged, confidential and exempt from disclosure under applicable law.  You are
hereby notified that any dissemination, duplication, or distribution of this transmission by someone
other than the intended addressee or its designated agent is strictly prohibited.  If you receive this
e-mail in error, please notify me immediately by replying to this e-mail.

---------------------------------------------------------------------

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Johnson, Donald K | 3 Aug 2010 20:10

RE: Engine support for enabling Intel Atom Security (SEP) processor

>-----Original Message-----
>From: Darryl Miles [mailto:darryl-mailinglists <at> netbauds.net]
>Sent: Tuesday, August 03, 2010 3:52 AM
>To: openssl-dev <at> openssl.org
>Cc: Johnson, Donald K
>Subject: Re: [openssl-dev] Engine support for enabling Intel
>Atom Security (SEP) processor
>
>Johnson, Donald K wrote:
>> Is this the right forum for asking design questions, and
>> submitting patches?
>
>Sure.
>
>Patches are prefered to be submitted with ticket at RT
>http://www.openssl.org/support/rt.html  (even if
>documentation still
>says to use the mailing-list).
>
>
>Can you cite any online references for the "SEP" and the
>scope of things
>you are looking into ?  (I have an interest in the MeeGo
>project myself)
>
>
>Which things describe what "SEP" is ?
>
>  * SIMD optimizations (AES instructions, OpenSSL asm
>optimizations)
>  * Trusted Execution Technology (TPM/TXT)
>  * Hardware asynchronous crypto offloading/coprocessor
>(OpenSSL Engine)
>  * Something else
>
There isn't a lot of online information at this time.
The product name is: Intel Smart & Secure Technology (Intel S&ST).
A very brief high level description is in this Intel Atom Processor
fact sheet:

http://download.intel.com/pressroom/kits/atom/z6xx/pdf/Fact_Sheet_Intel_Atom_Processor_Platform.pdf

The S&ST component is part of the Intel Platform Controller Hub (PCH) MP20.

Don J.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

72	May 2013
97	April 2013
216	March 2013
195	February 2013
107	January 2013
107	December 2012
116	November 2012
121	October 2012
195	September 2012
95	August 2012
65	July 2012
147	June 2012
137	May 2012
211	April 2012
241	March 2012
223	February 2012
197	January 2012
163	December 2011
90	November 2011
60	October 2011
125	September 2011
100	August 2011
134	July 2011
112	June 2011
142	May 2011
102	April 2011
137	March 2011
119	February 2011
100	January 2011
145	December 2010
167	November 2010
125	October 2010
143	September 2010
112	August 2010
129	July 2010
105	June 2010
98	May 2010
232	April 2010
245	March 2010
125	February 2010
174	January 2010
49	December 2009
195	November 2009
120	October 2009
188	September 2009
132	August 2009
125	July 2009
204	June 2009
181	May 2009
219	April 2009
209	March 2009
134	February 2009
133	January 2009
148	December 2008
199	November 2008
139	October 2008
154	September 2008
144	August 2008
127	July 2008
120	June 2008
168	May 2008
116	April 2008
105	March 2008
53	February 2008
170	January 2008
103	December 2007
121	November 2007
174	October 2007
117	September 2007
96	August 2007
57	July 2007
119	June 2007
94	May 2007
108	April 2007
175	March 2007
107	February 2007
100	January 2007
98	December 2006
113	November 2006
151	October 2006
138	September 2006
88	August 2006
154	July 2006
115	June 2006
127	May 2006
114	April 2006
120	March 2006
119	February 2006
180	January 2006
97	December 2005
126	November 2005
194	October 2005
85	September 2005
118	August 2005
320	July 2005
386	June 2005
226	May 2005
158	April 2005
136	March 2005
69	February 2005
172	January 2005
146	December 2004
151	November 2004
169	October 2004
109	September 2004
83	August 2004
191	July 2004
187	June 2004
156	May 2004
109	April 2004
195	March 2004
116	February 2004
105	January 2004
191	December 2003
210	November 2003
150	October 2003
167	September 2003
102	August 2003
116	July 2003
192	June 2003
233	May 2003
234	April 2003
219	March 2003
207	February 2003
546	January 2003
644	December 2002
517	November 2002
310	October 2002
238	September 2002
485	August 2002
395	July 2002
509	June 2002
313	May 2002
380	April 2002
150	March 2002
1	September 2001

Mon	Tue	Wed	Thu	Fri	Sat	Sun

						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31