I'm trying to generate a RSA Signature with libopenssl for c++:
But when I run my code, I get a SIGABRT. I did some deep debugging into libopenssl internal stuff to see where the Segfault comes from. I'll come to this later on.
First I want to make clear, that the RSA PrivateKey was successfully loaded from a .pem file. So Im pretty sure that's not the problem's origin.
So my question is: How to avoid the SIGABRT and what is the cause of it ?
I'm doing this for my B.Sc. Thesis so I really appreciate your help :)
Signature Generation Function:
DocumentSignature* RSASignatureGenerator::generateSignature(ContentHash* ch, CryptographicKey* pK) throw(PDVSException) {
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
if(pK == nullptr)
throw MissingPrivateKeyException();
if(pK->getKeyType() != CryptographicKey::KeyType::RSA_PRIVATE || !dynamic_cast<RSAPrivateKey*>(pK))
throw KeyTypeMissmatchException(pK->getPem()->getPath().string(), "Generate RSA Signature");
//get msg to encrypt
const char* msg = ch->getStringHash().c_str();
//get openssl rsa key
RSA* rsaPK = dynamic_cast<RSAPrivateKey*>(pK)->createOpenSSLRSAKeyObject();
//create openssl signing context
EVP_MD_CTX* rsaSignCtx = EVP_MD_CTX_create();
EVP_PKEY* priKey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(priKey, rsaPK);
//init ctxt
if (EVP_SignInit(rsaSignCtx, EVP_sha256()) <=0)
throw RSASignatureGenerationException();
//add data to sign
if (EVP_SignUpdate(rsaSignCtx, msg, std::strlen(msg)) <= 0) {
throw RSASignatureGenerationException();
}
//create result byte signature struct
DocumentSignature::ByteSignature* byteSig = new DocumentSignature::ByteSignature();
//set size to max possible
byteSig->size = EVP_MAX_MD_SIZE;
//alloc buffer memory
byteSig->data = (unsigned char*)malloc(byteSig->size);
//do signing
if (EVP_SignFinal(rsaSignCtx, byteSig->data, (unsigned int*) &byteSig->size, priKey) <= 0)
throw RSASignatureGenerationException();
DocumentSignature* res = new DocumentSignature(ch);
res->setByteSignature(byteSig);
EVP_MD_CTX_destroy(rsaSignCtx);
//TODO open SSL Memory leaks -> where to free open ssl stuff?!
return res;
}
RSA* rsaPK = dynamic_cast(pK)->createOpenSSLRSAKeyObject();
virtual RSA* createOpenSSLRSAKeyObject() throw (PDVSException) override {
RSA* rsa = NULL;
const char* c_string = _pem->getContent().c_str();
BIO * keybio = BIO_new_mem_buf((void*)c_string, -1);
if (keybio==NULL)
throw OpenSSLRSAPrivateKeyObjectCreationException(_pem->getPath());
rsa = PEM_read_bio_RSAPrivateKey(keybio, &rsa, NULL, NULL);
if(rsa == nullptr)
throw OpenSSLRSAPrivateKeyObjectCreationException(_pem->getPath());
//BIO_free(keybio);
return rsa;
}
SigAbrt origin in file openssl/crypto/mem.c
void CRYPTO_free(void *str, const char *file, int line)
{
if (free_impl != NULL && free_impl != &CRYPTO_free) {
free_impl(str, file, line);
return;
}
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (call_malloc_debug) {
CRYPTO_mem_debug_free(str, 0, file, line);
free(str);
CRYPTO_mem_debug_free(str, 1, file, line);
} else {
free(str);
}
#else
free(str); // <<<<<<< HERE
#endif
}
the stacktrace
stacktrace screenshot from debugger (clion - gdb based)
I just found the Bug (and Im really not sure if this is a libopenssl bug..)
//set size to max possible
byteSig->size = EVP_MAX_MD_SIZE;
//alloc buffer memory
byteSig->data = (unsigned char*)malloc(byteSig->size);
The problem was when I set the buffer size to EVP_MAX_MD_SIZE!
The (in my opinion) very very strange thing is, that you have to keep the size uninitialized! (not even set to 0 - just "size_t size;" ).
Strange thing here is that then you also HAVE TO allocate memory just like I did. I dont understand this because then an undefined size of memory gets allocated..
What the really weird is that libopenssl internally sets the size back to 0 and allocates the memory itself.. (I detected this by browsing the libopenssl source code)
Related
I'm using this decryption function to get the plain text value of a cipher which was encrypted using EVP AES 265 GCM; I can see data in rawOut but ret = EVP_DecryptFinal_ex(ctx, rawOut, &len); returns 0; can you provide any insight as to why? I've also seen sources which do rawOut + len in the EVP_DecryptFinal_ex code, I'm not sure why this would be needed as it would move the pointer to the end of the buffer.
unsigned char* keyDecrypter(unsigned char* pszMasterKey)
{
ERR_load_crypto_strings();
int ret, len;
EVP_CIPHER_CTX* ctx;
unsigned char* rawOut = new unsigned char[48]; // ToDo Remove Hardcoded Value
Info info = m_header.processKeyInfo();
if (NULL == info.nonce)
return NULL;
if (!(ctx = EVP_CIPHER_CTX_new()))
return NULL;
if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, pszMasterKey, info.nonce))
return NULL;
if (!EVP_DecryptUpdate(ctx, NULL, &len, m_header.aad, m_header.aad_len))
return NULL;
if (!EVP_DecryptUpdate(ctx, rawOut, &len, m_header.encryptedValue, m_header.encryptedValueLen))
return NULL;
// Finalise the decryption. A positive return value indicates success,
// anything else is a failure - the plain text is not trustworthy.
ret = EVP_DecryptFinal_ex(ctx, rawOut, &len);
ERR_print_errors_fp(stderr);
EVP_CIPHER_CTX_free(ctx);
if (ret > 0)
{
return rawOut;
}
else
{
return NULL;
}
}
From the OpenSSL doc:
"EVP_DecryptFinal() will return an error code if padding is enabled and the final block is not correctly formatted."
Apparently, the padding scheme between encryption and decryption do not match, or perhaps the size of ciphertext fed into the decryption engine did not exactly match the size of the ciphertext that was output from the encryption engine. Note that the ciphertext must include the result of a corresponding call to EVP_EncryptFinal_ex.
It is unfortunate that the original poster did not provide sufficient information to make an exact determination.
You need to pass rawOut + len to EVP_DecryptFinal_ex. See in the example at the end of the documentation:
/* Buffer passed to EVP_EncryptFinal() must be after data just
* encrypted to avoid overwriting it.
*/
if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
{
/* Error */
return 0;
}
outlen += tmplen;
Also note that rawOut must have enough room for (m_header.aad_len + cipher_block_size) bytes. You can get the block size with EVP_CIPHER_block_size().
Getting this very annoying error. error:0906D06C:PEM routines:PEM_read_bio:no start
Code:
RSA* publickey = cWrapper.getPublicKey("C:/rsa-stuff/public.pem");
QByteArray plain = "The man in the black fled into the desert and the gunslinger followed...";
QByteArray encrypted = cWrapper.encryptRSA(publickey, plain);
In encryptRSA():
const char* publicKeyStr = data.constData();
qDebug() << publicKeyStr;
BIO* bio = BIO_new_mem_buf((void*)publicKeyStr, -1);
BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
RSA* rsaPubKey = PEM_read_bio_RSAPublicKey(bio, NULL, NULL, NULL);
if(!rsaPubKey) {
qDebug() << "Could not load public key, " << ERR_error_string(ERR_get_error(), NULL); // error is here
}
BIO_free(bio);
This is how I read file:
QByteArray data;
QFile file(filename);
if(!file.open(QFile::ReadOnly))
{
printf("Error reading file: %s\n", file.errorString());
return data;
}
data = file.readAll();
file.close();
return data;
When I print out publicKeyStr, looks fine. This is notepad++ view with all characters enabled:
Anyone know what I am doing wrong? Super annoying issue :(
First of all, it's not this problem because I don't get the trusted part. Anyhow, I did try all the "solutions" and none of them worked, same error.
Your RSA public key is in SubjectPublicKeyInfo PEM format, but you are trying to read it using PEM_read_bio_RSAPublicKey which tries to read a PEM RSA key in PKCS#1 format. Try using PEM_read_bio_RSA_PUBKEY instead.
https://www.openssl.org/docs/man1.1.0/crypto/PEM_read_bio_RSAPublicKey.html
I got that same error on an openSSL1.1.0f I ported. The error showed up in my logger when reading out the root certificate from an mqtt client connection, until I figured out that I had forwarded the ERR_put_error() directly to my logger, whereas in openssl - the "real" error handling is kept in an ERR_STATE error buffer, and so sometimes (like in this case), errors are "expected", and the ERR_STATE error buffer is cleared (before anyone should check it).
in crypto/pem/pem_info.c, line 65:
i = PEM_read_bio(bp, &name, &header, &data, &len);
if (i == 0) {
error = ERR_GET_REASON(ERR_peek_last_error());
if (error == PEM_R_NO_START_LINE) {
ERR_clear_error();
break;
}
goto err;
meaning it runs througth the BIO_gets inside the PEM_read_bio until it returns zero, and if you get this PEM_R_NO_START_LINE, then thats just a way of saying its done.
By that time though, the error had already landed in my logger. So for anyone being confused by errors he or she is forwarding directly from ERR_put_error, use the ERR_print_errors_fp(stderr); in your errorhandling routine instead. In my case, as I dont have a stderr, I made a patched version of it, like:
void errorhandling()
{
unsigned long l;
char buf[256];
const char *file, *data;
int line, flags;
while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0)
{
ERR_error_string_n(l, buf, sizeof buf);
printf("%s:%s:%d:%s\n", buf, file, line, (flags & ERR_TXT_STRING) ? data : "");
}
}
I have the following code in an C websocket server application I have. The code performs ssl signature verification on a message with a given public key. The code works fine in the C application, but recently I started writing it on c++.The issue I encountered is that the same code, that is below, is in both applications, without change, both times receiving the same input data, but the one compiled with c++ yields SSL error bad signature.
Here is the code:
int verifyMessageSignature(const char* decoded_message, int pos,
unsigned char* signature, char* publicKey)
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
// OpenSSL_add_all_algorithms()
if (!publicKey)
{
printf("publicKey is null\n");
}
BIO* keyBio = BIO_new_mem_buf(publicKey, -1);
if(!keyBio)
{
printf("failed to created BIO\n");
printError(ERR_get_error());
}
BIO_set_mem_eof_return(keyBio, 0);
RSA* rsa = PEM_read_bio_RSA_PUBKEY(keyBio, NULL, NULL, NULL);
if (!rsa)
{
printf("Error in PEM_read_bio_RSA_PUBKEY\n");
printError(ERR_get_error());
}
EVP_MD_CTX *mdctx = NULL;
if (!(mdctx = EVP_MD_CTX_create()))
{
printf("Error in ctx\n");
printError(ERR_get_error());
}
EVP_PKEY* pk = EVP_PKEY_new();
if (EVP_PKEY_set1_RSA(pk, rsa) != 1)
{
printf("err in EVP_PKEY_set1_RSA\n");
printError(ERR_get_error());
}
if (EVP_DigestVerifyInit(mdctx, NULL, EVP_sha1(), NULL, pk) != 1)
{
printf("error in EVP_DigestVerifyInit\n");
printError(ERR_get_error());
}
if (EVP_DigestVerifyUpdate(mdctx, decoded_message, pos) != 1)
{
printf("error in EVP_DigestVerifyUpdate\n");
printError(ERR_get_error());
}
if (EVP_DigestVerifyFinal(mdctx, signature, 512) == 1)
{
/* Success */
printf("Successful verification!\n");
}
else
{
/* Failure */
printf("Unsuccessful verification!\n");
printError(ERR_get_error());
BIO_free_all(keyBio);
RSA_free(rsa);
EVP_PKEY_free(pk);
EVP_MD_CTX_destroy(mdctx);
ERR_free_strings();
return 1;
}
BIO_free_all(keyBio);
RSA_free(rsa);
EVP_PKEY_free(pk);
EVP_MD_CTX_destroy(mdctx);
ERR_free_strings();
return 0;
}
This code works fine in C. it successfully verifies the signature in my tests, whilst the same code, with the same input data (keys, messages, etc..) in c++ yields bad signature.
I am compiling under Ubuntu, using gcc and g++ (latest)
What could be causing this issue?
Solved. The issue was that i was using std::string to pass the decoded message around, which somehow was fucking it up. I switched the c++ code to use also char* strings for this section and is fine now.
Thanks for the replies, I hope someone else finds this useful.
Edit:
PS: I am using another function for generating the decoded message itself. Usage of std::string there was causing this issue.
I'm trying to sign a message using the OpenSSL C api. The following code segfaults because of EXC_BAD_ACCESS during either of the calls to EVP_DigestSignFinal. I'm using OpenSSL 1.0.1g. I tried switching from the newer DigestSign* functions to the older Sign* functions, and it still segfaults.
private_key is set with EVP_PKEY_set1_RSA from an RSA key loaded from a PEM file. The first call to EVP_DigestSignFinal fills s_len with the maximum possible length of the signature for the signing algorithm, so signature not being big enough shouldn't be the issue, and the second call writes to the signature buffer and fills s_len with the length of the signature.
I would appreciate any help I could get with this.
vector<unsigned char> rsa_sha512_sign(
const vector<unsigned char>& document,
shared_ptr<EVP_PKEY> private_key) {
EVP_MD_CTX* md;
if (!(md = EVP_MD_CTX_create())) {
throw runtime_error("Error initializing ENV_MD_CTX.");
}
if (EVP_DigestSignInit(md, NULL, EVP_sha512(), NULL, private_key.get())
!= 1) {
throw runtime_error("Error in EVP_DigestSignInit.");
}
if (EVP_DigestSignUpdate(md, document.data(), document.size()) != 1) {
throw runtime_error("Error computing hash on document.");
}
size_t s_len;
if (EVP_DigestSignFinal(md, NULL, &s_len) != 1) { // Segfault here
throw runtime_error("Error determining maximum signature size.");
}
vector<unsigned char> signature(s_len);
if (EVP_DigestSignFinal(md, signature.data(), &s_len) != 1) { // or here (or both)
throw runtime_error("Error signing document.");
}
signature.resize(s_len);
EVP_MD_CTX_destroy(md);
return move(signature);
}
The problem is likely with how you are initializing private_key. Probably, you are mixing malloc() with delete, and corrupting the heap in the process. You need to provide shared_ptr the proper deleter for the pointer you feed to it if the pointer was not created with new.
shared_ptr<RSA> r(RSA_new(), RSA_free);
shared_ptr<EVP_PKEY> p(EVP_PKEY_new(), EVP_PKEY_free);
shared_ptr<BIGNUM> bn(BN_new(), BN_free);
vector<unsigned char> doc(0, 100);
BN_set_word(bn.get(), RSA_F4);
RSA_generate_key_ex(r.get(), 2048, bn.get(), 0);
EVP_PKEY_set1_RSA(p.get(), r.get());
rsa_sha512_sign(doc, p);
I am working on a task to encrypt large files with AES CCM mode (256-bit key length). Other parameters for encryption are:
tag size: 8 bytes
iv size: 12 bytes
Since we already use OpenSSL 1.0.1c I wanted to use it for this task as well.
The size of the files is not known in advance and they can be very large. That's why I wanted to read them by blocks and encrypt each blocks individually with EVP_EncryptUpdate up to the file size.
Unfortunately the encryption works for me only if the whole file is encrypted at once. I get errors from EVP_EncryptUpdate or strange crashes if I attempt to call it multiple times. I tested the encryption on Windows 7 and Ubuntu Linux with gcc 4.7.2.
I was not able to find and information on OpenSSL site that encrypting the data block by block is not possible (or possible).
Additional references:
http://www.fredriks.se/?p=23
http://incog-izick.blogspot.in/2011/08/using-openssl-aes-gcm.html
Please see the code below that demonstrates what I attempted to achieve. Unfortunately it is failing where indicated in the for loop.
#include <QByteArray>
#include <openssl/evp.h>
// Key in HEX representation
static const char keyHex[] = "d896d105b05aaec8305d5442166d5232e672f8d5c6dfef6f5bf67f056c4cf420";
static const char ivHex[] = "71d90ebb12037f90062d4fdb";
// Test patterns
static const char orig1[] = "Very secret message.";
const int c_tagBytes = 8;
const int c_keyBytes = 256 / 8;
const int c_ivBytes = 12;
bool Encrypt()
{
EVP_CIPHER_CTX *ctx;
ctx = EVP_CIPHER_CTX_new();
EVP_CIPHER_CTX_init(ctx);
QByteArray keyArr = QByteArray::fromHex(keyHex);
QByteArray ivArr = QByteArray::fromHex(ivHex);
auto key = reinterpret_cast<const unsigned char*>(keyArr.constData());
auto iv = reinterpret_cast<const unsigned char*>(ivArr.constData());
// Initialize the context with the alg only
bool success = EVP_EncryptInit(ctx, EVP_aes_256_ccm(), nullptr, nullptr);
if (!success) {
printf("EVP_EncryptInit failed.\n");
return success;
}
success = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, c_ivBytes, nullptr);
if (!success) {
printf("EVP_CIPHER_CTX_ctrl(EVP_CTRL_CCM_SET_IVLEN) failed.\n");
return success;
}
success = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, c_tagBytes, nullptr);
if (!success) {
printf("EVP_CIPHER_CTX_ctrl(EVP_CTRL_CCM_SET_TAG) failed.\n");
return success;
}
success = EVP_EncryptInit(ctx, nullptr, key, iv);
if (!success) {
printf("EVP_EncryptInit failed.\n");
return success;
}
const int bsize = 16;
const int loops = 5;
const int finsize = sizeof(orig1)-1; // Don't encrypt '\0'
// Tell the alg we will encrypt size bytes
// http://www.fredriks.se/?p=23
int outl = 0;
success = EVP_EncryptUpdate(ctx, nullptr, &outl, nullptr, loops*bsize + finsize);
if (!success) {
printf("EVP_EncryptUpdate for size failed.\n");
return success;
}
printf("Set input size. outl: %d\n", outl);
// Additional authentication data (AAD) is not used, but 0 must still be
// passed to the function call:
// http://incog-izick.blogspot.in/2011/08/using-openssl-aes-gcm.html
static const unsigned char aadDummy[] = "dummyaad";
success = EVP_EncryptUpdate(ctx, nullptr, &outl, aadDummy, 0);
if (!success) {
printf("EVP_EncryptUpdate for AAD failed.\n");
return success;
}
printf("Set dummy AAD. outl: %d\n", outl);
const unsigned char *in = reinterpret_cast<const unsigned char*>(orig1);
unsigned char out[1000];
int len;
// Simulate multiple input data blocks (for example reading from file)
for (int i = 0; i < loops; ++i) {
// ** This function fails ***
if (!EVP_EncryptUpdate(ctx, out+outl, &len, in, bsize)) {
printf("DHAesDevice: EVP_EncryptUpdate failed.\n");
return false;
}
outl += len;
}
if (!EVP_EncryptUpdate(ctx, out+outl, &len, in, finsize)) {
printf("DHAesDevice: EVP_EncryptUpdate failed.\n");
return false;
}
outl += len;
int finlen;
// Finish with encryption
if (!EVP_EncryptFinal(ctx, out + outl, &finlen)) {
printf("DHAesDevice: EVP_EncryptFinal failed.\n");
return false;
}
outl += finlen;
// Append the tag to the end of the encrypted output
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, c_tagBytes, out + outl)) {
printf("DHAesDevice: EVP_CIPHER_CTX_ctrl failed.\n");
return false;
};
outl += c_tagBytes;
out[outl] = '\0';
EVP_CIPHER_CTX_cleanup(ctx);
EVP_CIPHER_CTX_free(ctx);
QByteArray enc(reinterpret_cast<const char*>(out));
printf("Plain text size: %d\n", loops*bsize + finsize);
printf("Encrypted data size: %d\n", outl);
printf("Encrypted data: %s\n", enc.toBase64().data());
return true;
}
EDIT (Wrong Solution)
The feedback that I received made me think in a different direction and I discovered that EVP_EncryptUpdate for size must be called for each block that it being encrypted, not for the total size of the file. I moved it just before the block is encrypted: like this:
for (int i = 0; i < loops; ++i) {
int buflen;
(void)EVP_EncryptUpdate(m_ctx, nullptr, &buflen, nullptr, bsize);
// Resize the output buffer to buflen here
// ...
// Encrypt into target buffer
(void)EVP_EncryptUpdate(m_ctx, out, &len, in, buflen);
outl += len;
}
AES CCM encryption block by block works this way, but not correctly, because each block is treated as independent message.
EDIT 2
OpenSSL's implementation works properly only if the complete message is encrypted at once.
http://marc.info/?t=136256200100001&r=1&w=1
I decided to use Crypto++ instead.
For AEAD-CCM mode you cannot encrypt data after associated data was feed to the context.
Encrypt all the data, and only after it pass the associated data.
I found some mis-conceptions here
first of all
EVP_EncryptUpdate(ctx, nullptr, &outl
calling this way is to know how much output buffer is needed so you can allocate buffer and second time give the second argument as valid big enough buffer to hold the data.
You are also passing wrong (over written by previous call) values when you actually add the encrypted output.