Re: Incompatible Object error from EC_POINT_mul (Nicola)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Incompatible Object error from EC_POINT_mul (Nicola)

John Hughes-2
Nicola,

Brilliant - that sorted it. I have produced a public key this way and
successfully compared it with the public key in the original key pair.

You may want to update the wiki page to add that step into the sample code


Regards

John

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
[hidden email]
Sent: 08 October 2018 08:36
To: [hidden email]
Subject: openssl-users Digest, Vol 47, Issue 8

Send openssl-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific than
"Re: Contents of openssl-users digest..."


Today's Topics:

   1. Re: Wiki misleading Enc (Richard Levitte)
   2. Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on
      RHEL 7.5 ([hidden email])
   3. Re: Incompatible Object error from EC_POINT_mul (Nicola)


----------------------------------------------------------------------

Message: 1
Date: Mon, 08 Oct 2018 07:03:34 +0200 (CEST)
From: Richard Levitte <[hidden email]>
To: [hidden email]
Cc: [hidden email]
Subject: Re: [openssl-users] Wiki misleading Enc
Message-ID: <[hidden email]>
Content-Type: Text/Plain; charset=us-ascii

Fixed.  Thanks.

In message <[hidden email]> on Sat, 6 Oct 2018
22:48:01 +0200, Paul Zillmann <[hidden email]> said:

> Hello,
>
> the wiki page [1] is wrong about the pass parameter.
> According to [2] the parameter for a keyfile is -pass file:path and
> not -pass pass:path
>
> - Paul
>
> 1: https://wiki.openssl.org/index.php/Enc
> 2: https://www.openssl.org/docs/man1.0.2/apps/openssl.html
>


------------------------------

Message: 2
Date: Mon, 8 Oct 2018 05:50:40 +0000
From: <[hidden email]>
To: "[hidden email]" <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Subject: Re: [openssl-users] osf-contact Latest Openssl Issue with
        Bind 9.12.2-P2 on RHEL 7.5
Message-ID:
       
<14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA2711076
[hidden email]>
       
Content-Type: text/plain; charset="iso-2022-jp"

Hi Team,



Please find below error in text format.



[root@g3r1 ~]# systemctl status bind -l

? bind.service - LSB: DNS Daemon

   Loaded: loaded (/etc/rc.d/init.d/bind)

   Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago

     Docs: man:systemd-sysv-generator(8)

  Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited,
status=0/SUCCESS)

  Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited,
status=0/SUCCESS)



Oct 05 13:31:09 g3r1 named[32429]:
----------------------------------------------------

Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to
1048576

Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread

Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface

Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets

Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error:

Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator
cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library)

Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data]

Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon.





[root@g3r1 ~]# tail /var/log/message

Oct  5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon...

Oct  5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg:
command not found

Oct  5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 <id:b2bf278>

Oct  5 13:31:09 g3r1 named[32429]: running on Linux x86_64
3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016

Oct  5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr'
'--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man'
'--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl'
'--disable-static' '--with-randomdev=/dev/urandom'

Oct  5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named
-c /etc/named.conf

Oct  5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat
4.8.5-28)

Oct  5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL
1.0.2p  14 Aug 2018

Oct  5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p
14 Aug 2018

Oct  5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7

Oct  5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7

Oct  5 13:31:09 g3r1 named[32429]: threads support is enabled

Oct  5 13:31:09 g3r1 named[32429]:
----------------------------------------------------

Oct  5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems
Consortium,

Oct  5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit

Oct  5 13:31:09 g3r1 named[32429]: corporation.  Support and training for
BIND 9 are

Oct  5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support

Oct  5 13:31:09 g3r1 named[32429]:
----------------------------------------------------

Oct  5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to
1048576

Oct  5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread

Oct  5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface

Oct  5 13:31:09 g3r1 named[32429]: using up to 4096 sockets

Oct  5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error:

Oct  5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator
cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)





Thanks & Regards,



Aakash kumar

ITE - India

Tower B, 8th Floor, DLF Infinity Towers,

DLF Cyber City Phase - II

Gurgaon - 122002, Haryana, INDIA

[hidden email]



  Mobile: +91-8527288977

  CVS: 7357 3706







-----Original Message-----
From: Viktor Dukhovni [mailto:[hidden email]]
Sent: 05 October 2018 21:23
To: KUMAR Aakash IMT/OINIS
Cc: [hidden email]; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen
IMT/OINIS
Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL
7.5





Please try to send the text of error reports, not pictures.



> I am getting below error while starting the bind service.

>

> <image002.png>



If you ask on the openssl-users list, someone else may have seen

the same issue, and may have useful advice to share.



NOTE!!!:  I've set the Reply-To: address to <[hidden email]>.

If you just hit "Reply", your answer may go to the list, though you'd

need to join the list first to be able to post...



Does the error still happen when you disable "chroot" in BIND?

Perhaps BIND is doing late initialization of the PRNG after

entering the chroot jail, and maybe trying to use "/dev/urandom",

which not be in the jail?  That's a wild guess.  You'd need to

trace system calls to see what it is actually doing...



--

                Viktor.



____________________________________________________________________________
_____________________________________________

Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
exploites ou copies sans autorisation. Si vous avez recu ce message par
erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.

This message and its attachments may contain confidential or privileged
information that may be protected by law; they should not be distributed,
used or copied without authorisation.
If you have received this email in error, please notify the sender and
delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mta.openssl.org/pipermail/openssl-users/attachments/20181008/9a4c315
f/attachment-0001.html>

------------------------------

Message: 3
Date: Mon, 8 Oct 2018 10:35:33 +0300
From: Nicola <[hidden email]>
To: [hidden email]
Subject: Re: [openssl-users] Incompatible Object error from
        EC_POINT_mul
Message-ID:
        <CANm5x_NZ7Xwtgy8sfWYWPjcEvYktFY6apBKXp=[hidden email]>
Content-Type: text/plain; charset="utf-8"

Hi,

I did not run this in the debugger, but one issue is that you are not
initializing `pub` before calling EC_POINT_mul : try adding

pub = EC_POINT_new(curve);
(and check for errors making sure pub is not null afterwards).

Hope this helps!


Best regards,

Nicola


On Mon, Oct 8, 2018, 00:31 John Hughes <[hidden email]> wrote:

> I'm trying to generate a public key from a private key generated on a
> HSM (and obtained by calling PKCS#11). Everything works fine until I
> call EC_POINT_mul - at which point I get the error message:
>
>        error:100BB065:elliptic curve routines:ec_wNAF_mul:incompatible
> objects
>
> I have checked the BIGNUM conversion - and that seems to be fine. The
> key pair on the HSM is also generated using brainpoolP256r1.
>
> The basis of the code can be found at the end of the email. I'm
> basically trying to follow the example provided in:
>         https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography.
>
> I'm using openssl 1.10h
>
> Any pointers or help would be appreciated.
>
>
> John
>
> ---------------------------------------------------------------
>
>
>         BN_CTX *ctx;
>         ctx = BN_CTX_new();
>         if(!ctx) {
>                 outputInfo("unable to create openssl BN_CTX");
>                 return;
>         }
>
>         EC_GROUP *curve;
>
>         outputInfo("about to create EC_GROUP_new_by_curve_name");
>         if(NULL == (curve =
> EC_GROUP_new_by_curve_name(NID_brainpoolP256r1))) {
>                 outputERRORmess("unable to setup curve");
>         }
>
>         outputInfo("about to create EC_KEY_new_by_curve_name");
>         EC_KEY *key;
>         if(NULL == (key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1)))
{

>                 outputERRORmess("unable to setup EC_KEY");
>         }
>
>         // now get the private key contained in CKA_VALUE via PKCS#111
> and place in *attrPrivate.pValue
>
>                 .......... (handle error)
>
>         EC_POINT *pub;
>
>
>         BIGNUM *prv = BN_bin2bn((unsigned char*)attrPrivate.pValue,
> attrPrivate.ulValueLen, NULL);
>         if (prv == NULL) {
>
>         ...... (handle error)
>         }
>
>         if (1 != EC_KEY_set_private_key(key, prv)) {
>
>                 ........ (handle error)
>         }
>
>         if (1 != EC_POINT_mul(curve, pub, prv, NULL, NULL, ctx)) {
>                 outputInfo("unable to calculate the public key from
> the HSM's private key using EC_POINT_mul");
>                 (handle error)
>
>         }
>
>
>
>
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mta.openssl.org/pipermail/openssl-users/attachments/20181008/bcd9871
5/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.openssl.org/mailman/listinfo/openssl-users


------------------------------

End of openssl-users Digest, Vol 47, Issue 8
********************************************

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users