f



OpenSSL Library Call Redirection, OpenPGP, DANE

I have three separate questions, and I apologize in advance for posting
to multiple newsgroups and mailservs.

But I was taught two things by some very smart individuals:

1) The only dumb question is an unasked one, and
2) When dealing with serious cryptography, do not guess, ask an actual
cryptographer.

So I have a few separate but related questions:

Is is possible to use OpenPGP in DANE? What do I need to do this?

Can I redirect applications that rely specifically on OpenSSL to use NSS
or GnuTLS instead somehow?

My understanding of external library calls is severely limited, but my
understanding is that there's such a thing as DLL/SO injection, which
renames the library and then places an imposter library in its place so
that calls to that library are intercepted, and either handled by the
imposter or transparently forwarded to the real library.

This happens all of the time in the PC gaming world, and is a critical
tool in cheating on multiplayer games. It is a method to manipulate the
game client's internal binary logic.

It follows logically that such a technique SHOULD be possible with
OpenSSL, NSS and GnuTLS. It may be that there are wrappers or special
programs or tools that already do this, but I am unaware of any that
work universally.

Are calls to OpenSSL standardized in some what? Could a simple symlink work?

DANE is a fascinating system, and some applications I am interested in
optionally use DANE to verify the authenticity of certificates/keys. Is
it possible to use DANE locally to indirectly use GnuTLS or NSS as
backend cryptographic libraries?

Does PowerDNS or any of the common DANE-supporting nameservers
explicitly support cryptographic libraries other than OpenSSL? I made
several attempts to divine this knowledge, and was unsucessful. Perhaps
my Google-fu is not enough.

I fail to grok how I should this.

While applications like Pidgin use NSS, which is refreshing, most
applications I take an interest in specifically link to OpenSSL, rather
than being written as cryptographic library agnostic.

As a mere padawan, I do not know what I can do about this.

The project I have in mind uses PostFix and INN on a private LAN/VPN to
exchange files amongst a group. This group is a set of local
neighborhoods connected by explicit links.

These links use CJDNS for IP addresss allocation and NameCoin for name
allocation. However, NameCoin does not necessarily provide DANE
emulation. NameCoin does support arbitrary extensions, because it can
use any prefix:key=value binding by "spending" a NameCoin.

This should be trivial enough to write with a simple Bash Shell Script.
I am competent enough to write Bash Shell Scripts. However, I am too
smart to attempt mucking about with cryptographic libraries without
consulting a cryptography guru.

I realize I could somehow get PowerDNS to serve NameCoin .bit records
using the local DNS cache or perhaps a script, but I'm not sure how to
inject OpenPGP certs into DANE records.

I do know I can bind OpenPGP keys into NameCoin .bit addresses in the
same manner as regular DNS records, but I'm not sure if this is
cryptographically sound. Thus why I'm asking people who DO know what
they are doing.

So by manually posting OpenPGP keys along with names into .bit records,
then using a PowerDNS authoritative server to serve the .bit records
from a local DNS cache (somehow), i could provide DANE records to bind
..bit names to CJDNS IPv6 addresses.

This would provide a completely decentralized network, both at the IP
addressspace and DNS namespace levels, IF it works.

However, some of the servers I'd host on this infrastructure relies
specifically on OpenSSL, and I suspect OpenSSL does not support
verifying keys using OpenPGP, and perhaps not DANE. I'm honestly not sure.

But INN and PostFix would have problems with server-to-server TLS links
if the certs don't validate. I really want to use TLS, even though CJDNS
does use NACL cryptography for its peering links.

I don't like relying on only one cryptographic library for security. I
want both underlying NACL cryptography and TLS cryptography to help
protect sensitive data.

But the idea of using NameCoin + CJDNS -> PowerDNS + GnuPG + NSS/GnuTLS
-> Nginx + INN + PostFix + ... stack seems a little precarious to me.

Thank you very much for you patience, time and attention.

Thank you very much in advance for any help, advice, instruction,
protips, hints or references you may give me.

Thank you.

-- Alex Maurin <coyo AT darkdna DOT net>
0
Coyo
1/24/2015 7:34:46 PM
comp.os.linux 3406 articles. 0 followers. Post Follow

1 Replies
529 Views

Similar Articles

[PageSpeed] 40

On 24/01/15 20:34, Coyo wrote:
> I have three separate questions, and I apologize in advance for posting
> to multiple newsgroups and mailservs.
>
> But I was taught two things by some very smart individuals:
>
> 1) The only dumb question is an unasked one, and
> 2) When dealing with serious cryptography, do not guess, ask an actual
> cryptographer.
>
> So I have a few separate but related questions:
>
> Is is possible to use OpenPGP in DANE? What do I need to do this?
>
> Can I redirect applications that rely specifically on OpenSSL to use NSS
> or GnuTLS instead somehow?

You need to recompile them with support for NSS or GnuTLS, this may 
require some coding from your part as not all applications has the code 
written so that they can support all the different libraries.

You can of course recompile your applications to use LibreSSL instead of 
OpenSSL, this will not require any code change, but needs the 
application to be compiled against LibreSSL or else you will have some 
really nasty vulnerabilities.


> Are calls to OpenSSL standardized in some what? Could a simple symlink work?

No, a symlink will not work, as they do not have the same function 
names/arguments. LibreSSL could replace OpenSSL, but due of some 
differences between them, this would cause some vulnerabilities which do 
not exist in LibeSSL nor OpenSSL, but due of compiling an application 
against one of them and then using the other.


> DANE is a fascinating system, and some applications I am interested in
> optionally use DANE to verify the authenticity of certificates/keys. Is
> it possible to use DANE locally to indirectly use GnuTLS or NSS as
> backend cryptographic libraries?

Can't tell that as I haven't used it, just download the source code and 
see if there is support for alternatives for OpenSSL.


> Does PowerDNS or any of the common DANE-supporting nameservers
> explicitly support cryptographic libraries other than OpenSSL? I made
> several attempts to divine this knowledge, and was unsucessful. Perhaps
> my Google-fu is not enough.

Same as for dane.


-- 

  //Aho

0
J
1/24/2015 11:18:27 PM
Reply:

Similar Artilces:

[News] UNIX/Linux Called Real OS; Windows "Insufficient OS"
Why *I* like Linux and Unix (and Mac OS X too!) ,----[ Quote ] | But there's more. There's what we call the "Unix Philosophy", which is that | small tools should do one thing and do it well, while being designed so that | they can get whatever input they need from the output of something else and | vice versa. It's pipelines, stringing together little tools to get big | results. Windows programs just are NOT written with that in mind - if they do | allow command line use at all, they spit out too much on the output side and | aren't even smart enough to do so o...

Another Blow To The So Called Linux Security
Read it and weep, Linux losers. http://zdnet.com.com/2100-1105_2-5162348.html An analysis of hacker attacks on online servers in January by UK-based security consultancy mi2g found that Linux servers were the most frequently hit, accounting for 13,654 successful attacks, or 80 percent of the survey total. Windows came in a distant second with 2,005 attacks. A detailed analysis of government servers also found Linux to be more susceptible, accounting for 57 percent of all security breaches. On Mon, 23 Feb 2004 18:13:40 +0000, Dr Alw is a loser wrote: > Read it and weep, Linux lose...

How to call call a MATLAB shared library from another shared library
Hi, I have some Matlab generated dlls, now i want to call functions which are in those dlls from my class library. The library initializations are not being done from the library. How can i access those functions from a dll. Thank you in advance... Bye, srikanth ...

[News] Making Linux More Like OS X and OS X More Like Linux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mac OS X - Highly Customized Linux ,----[ Quote ] | Few players in the Linux arena creates their Linux distro to look like Mac OS | X or Windows.... | | Here I'm going to list some distro which looks like Mac OS. `---- http://linuxtreat.blogspot.com/2008/07/mac-os-x-highly-customized-linux.html A Linux User's Guide to Mac ,----[ Quote ] | Take a deep breath and repeat after me: A computer is just a tool. It is only | so good as it serves to make life better for users. A "better" life is | obviously not the same thing fo...

[Simulink, S-functions] Calling Lapack++ library from a library called by a S-function
Hello fellow Simulink users, I am developing some C++ S-functions which call an external C++ library for physical computations. Library exports match the principal methods used by the runtime environment : (excerpt from the library header file :) __declspec( dllexport ) static MyPhisicalBlock* create( void ) ; __declspec( dllexport ) void set_parameters( double* foo, double* bar ) ; __declspec( dllexport ) void outputs( const double* const in1, double* out1, double* out2r ) ; __declspec( dllexport ) void derivatives( c...

calling library func with stream fails under linux
On Mandriva Linux I created a shared object (.so) lib with following code; #include &lt;sstream&gt;extern "C" int test(const char* c){ &nbsp; std::stringstream s(c);&nbsp; &nbsp; int i;&nbsp; s &gt;&gt; i;&nbsp; return i;} No when I try to call test from LabVIEW using a 'Call Library Function Node', I get an error (see attached error_message.jpg) trying to configure it.I get the same error when I open the vi (see attached test_vi.jpg).When I build the same code into a dll under Windows the same test_vi runs perfectly.In other occasions wher...

System call and library call
This is one of the interview question this morning, hope someone can help out with this. Thanks. What is the different between System call and library call? leoman730 wrote: > This is one of the interview question this morning, hope someone can > help out with this. Thanks. > What is the different between System call and library call? > Here's another question. What's your C++ *language* question? As to your first, try Google or Wikipedia. On May 3, 3:32 pm, leoman730 <leoman...@gmail.com> wrote: > What is the different between System call and library call?...

Finding library call information (GNAT-Linux)
We are chasing some problems... that are rather interesting... The environment - is a Simulation... containing a Robot arm, etc... We are on a multi-processor system (2 Pentium IIIs) Now, when a particular version of the arm was delivered - constraint errors - typically having to do with double precision floating point started occuring... (very intermittently)... and when they occur... they occur in *flurries*... The personnel *instrumented* the code - and the results are very squirelly... Constaint Errors being returned for zero (a valid value) - other times... constraint erro...

system call and library call
hello, what is difference between system call and library function call? Does library function call can have context switch to kernel mode? regards, rahul > what is difference between system call and library function >call? Unless you are talking about a specific implementation, the spelling of the name. What is a system call on one machine may be a library function on another, and it can easily change between versions (e.g. when a legacy system call is now implemented as a library function that calls the new system call, re-arranging the arguments and results so it w...

Linux, Linux, Linux
Hi, Interested in trying Linux? Well you came to comp.os.linux.advocacy for some reason, and you probably won't stay long. Here's a list of Linux distributions to choose from. Ubuntu http://www.ubuntu.com Newbie friendly and good support forums. SuSE http://www.novell.com/linux Pay for some support if you're not opposed to spending a little money. Fedora Core http://fedoraproject.org If you're more comfortable with your computer, try this one out. If you get frustrated, don't give up so easy. There is a wealth of information online for whichever distro you choose....

Calling library functions in Linux kernel code
Hi, I have a few queries about calling library functions in Linux Kernel(module) code. What are the disadvantages of using printf instead of printk in kernel code ? I have also heard that it is unwise to use standard library functions in the kernel but was unable to understand why. Can someone please explain the reason for the same ? Thanks Linny Linny <linvin333@gmail.com> wrote: > I have a few queries about calling library functions in Linux > Kernel(module) code. > What are the disadvantages of using printf instead of printk in kernel > code ? The disadvantage is rat...

MEX problem calling routines in shared library (Linux)
Ok, I have a real strange problem here. The situation is the following: I create a mex routine which is a layer between MATLAB and my implementation code which is contained in a shared library (.so library). So this code is linked dynamically at runtime with the mex driver. In this shared library, I have a function called mempool_create. It is defined there and it is called from this shared library. The problem is that not this mempool_create is being called, but a mempool_create routine which is defined in libmwcg_ir.so So it appears that by coincidense I have chosen a routine name that ...

stdout funniness from os.system() calls when redirecting output
I have a python script that uses the print function throughout, and as well uses calls to os.system() to spawn DOS commandline executables. My issue is that I redirect all of the output from this script to a file (including that which is printed by the spawned programs) via the redirect (">") function on a Win2K Command Prompt. In the captured output however, the output from the os.system() calls ALWAYS comes before the output from the print calls in the python script. This does NOT happen if I run the python script without redirecting the output to a file. (everything prints ...

High-performance 2D vector graphics library for Linux and OS X
Smoke is a 2D vector graphics library that renders efficiently using OpenGL and isotropic multiresolution techniques: http://www.ffconsultancy.com/products/smoke_vector_graphics/ This library is a perfect foundation for cross-platform graphing, charting, GUI and visualization applications. -- Dr Jon D Harrop, Flying Frog Consultancy The OCaml Journal http://www.ffconsultancy.com/products/ocaml_journal/?usenet On a sunny day (Wed, 20 Jun 2007 20:45:10 +0100) it happened Jon Harrop <jon@ffconsultancy.com> wrote in <4679852b$0$8717$ed2619ec@ptn-nntp-reader02.plus.n...

Web resources about - OpenSSL Library Call Redirection, OpenPGP, DANE - comp.os.linux

URL redirection - Wikipedia, the free encyclopedia
URL redirection , also called URL forwarding , is a World Wide Web technique for making a web page available under more than one URL address. ...

Why should you use Komodia's Redirection SDK - YouTube
Things you should know before you try to develop your own: LSP ,TDI, WFP, NDIS solution Visit us at: http://www.komodia.com

Whan pledges funding for Queanbeyan roads, supports redirection of Ellerton extension money
Monaro candidate Steve Whan has pledged $17.3 million in additional road funding for Queanbeyan in the lead up to the NSW state election - without ...

Facebook tries to takeover the world with a redirection bug
Some of the biggest news sites in the world disappeared today when Facebook took over the internet with a redirection bug.

Matt Cutts : "Une redirection 301 ne génère pas de perte de PageRank"
Web Rank Info Matt Cutts : "Une redirection 301 ne génère pas de perte de PageRank" Abondance (Blog) Matt Cutts a publié hier une vidéo de ...

LED Cinema Display (27-inch), LED Cinema Display (24-inch, Late 2008): About headphone sound redirection ...
In certain situations, when you plug headphones into a Mac connected to an LED Cinema Display (24-inch, Late 2008) or LED Cinema Display (27-inch) ...

NASA announces details of its asteroid redirection mission
Today, NASA held a press conference in which it described the latest developments in its plan to return an asteroid to an orbit close enough ...

Google Hides Country Redirection Bypass Link
... see the link. Another option is to go to www.google.com/ncr, the same URL that used to the displayed by Google. "NCR" means "no country redirection", ...

Redirection for 2012 BW50
Redirection for 2012 BW50

redirection
Read all 'redirection' posts on .

Resources last updated: 1/26/2016 2:15:16 AM