Re: Problem decrypting a pkcs7 structure

[Vadim Fedukovich]

On Sun, Nov 03, 2002 at 01:56:31AM +0100, Massimiliano Pala wrote:
 Hi,
 
 I am trying to decrypt some data in a pkcs7 env structure. The problem comes
 when I try to use the PKCS7_decrypt (I guess the problem to be in 
 PKCS_dataDecode that is actually called -- see pk7_doit.c and pk7_smime.c).
 
 If I use a loaded normal certificate everything is fine, but when I try
 to use a fake X509 structure where I store only the cert_info-issuer
 and cert_info-serialNumber data (the only one that should be accessed
 in the used when decrypting) I get a core dump.
 
 Here it is the code:
 
  if( (foo_cert = X509_new()) == NULL ) {
  // Memory error...
  } else {
  char buffer[1024];
 
  foo_cert-cert_info-issuer =
  rinfo-ias-issuer;
  foo_cert-cert_info-serialNumber =
  rinfo-ias-serial;
  }
 
  bio = BIO_new(BIO_s_mem());
  if (PKCS7_decrypt(p7, pkey, foo_cert, bio, 0) == 0) {
  BIO_printf(bio_err, %s:%d: decryption failed\n, __FILE__,
  __LINE__);
  goto err;
  }
 
 Where am I wrong ? Is there a function for decrypting a pkcs7 structure
 that does not require a (X509 *) [virtually useless, if not for cecking
 against the recipient info, I guess] ?

It's easy to see PKCS7_decrypt() does X509_check_private_key(certificate, key)
and then PKCS7_dataDecode()

One could also read PKCS7_dataDecode() source to see decryption certificate
will only be used to match issuer and serial number with that of each
recipient info from enveloped data, so your code should work fine
with PKCS7_decrypt() replaced

good luck,
Vadim
-- 
Naina library: http://www.unity.net/~vf/naina_r1.tgz
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #327] compilation errors for openssl 0.9.8

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Fri,  1 Nov 2002 16:57:24 
+0100 (MET), Lucas C via RT [EMAIL PROTECTED] said:

rt - There is something wrong with the macros that
rt disable hardware support. Some parts of the build
rt procedure think it is not necessary to build the
rt hardware support engines, other parts still want to
rt use them. During the first link trial, I got a bunch
rt of 'unresolved external symbol' messages for these
rt exported functions:
rt 
rtENGINE_load_4758cca
rtENGINE_load_aep
rtENGINE_load_atalla
rtENGINE_load_chil
rtENGINE_load_cswift
rtENGINE_load_nuron
rtENGINE_load_sureware
rtENGINE_load_ubsec
rt 
rt   Manually editing LIBEAY32.def to exclude those
rt exports fixes this, but I guess the scripts that
rt generate it should be adapted.

I'm working on getting that right.  I just fixed it for VMS, Windows
is next.

rt - By the way, I also got the following message:
rt   ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION
rt statement not supported for the target platform;
rt ignored
rt 
rt   IIRC the 'DESCRIPTION' line in a .def file is a
rt remainder of the 16 bit era. It should not be there in
rt the 32 bit .def files.

Possible, but it's only recently that there have been warnings, I
think.  I can't recall seeing that on W2K.

rt - During the next link run 'unresolved external
rt symbol' messages related to the previous ones show up.
rt This time not from the exports (.def), but all of them
rt from 'eng_all.obj'. The missing symbols are exactly
rt the same as above.
rt 
rt   Adding adding '-DOPENSSL_NO_HW' to CFLAG in the
rt makefile and recompiling fixes this, but once again, I
rt guess the scripts should be updated. (no change in
rt eng_all.c is needed).

Actually, you should add -DOPENSSL_NO_STATIC_ENGINE

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #327] compilation errors for openssl 0.9.8

[Richard Levitte - VMS Whacker via RT]

In message [EMAIL PROTECTED] on Fri,  1 Nov 2002 16:57:24 
+0100 (MET), Lucas C via RT [EMAIL PROTECTED] said:

rt - There is something wrong with the macros that
rt disable hardware support. Some parts of the build
rt procedure think it is not necessary to build the
rt hardware support engines, other parts still want to
rt use them. During the first link trial, I got a bunch
rt of 'unresolved external symbol' messages for these
rt exported functions:
rt 
rtENGINE_load_4758cca
rtENGINE_load_aep
rtENGINE_load_atalla
rtENGINE_load_chil
rtENGINE_load_cswift
rtENGINE_load_nuron
rtENGINE_load_sureware
rtENGINE_load_ubsec
rt 
rt   Manually editing LIBEAY32.def to exclude those
rt exports fixes this, but I guess the scripts that
rt generate it should be adapted.

I'm working on getting that right.  I just fixed it for VMS, Windows
is next.

rt - By the way, I also got the following message:
rt   ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION
rt statement not supported for the target platform;
rt ignored
rt 
rt   IIRC the 'DESCRIPTION' line in a .def file is a
rt remainder of the 16 bit era. It should not be there in
rt the 32 bit .def files.

Possible, but it's only recently that there have been warnings, I
think.  I can't recall seeing that on W2K.

rt - During the next link run 'unresolved external
rt symbol' messages related to the previous ones show up.
rt This time not from the exports (.def), but all of them
rt from 'eng_all.obj'. The missing symbols are exactly
rt the same as above.
rt 
rt   Adding adding '-DOPENSSL_NO_HW' to CFLAG in the
rt makefile and recompiling fixes this, but once again, I
rt guess the scripts should be updated. (no change in
rt eng_all.c is needed).

Actually, you should add -DOPENSSL_NO_STATIC_ENGINE

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[STATUS] OpenSSL (Sun 3-Nov-2002)

[OpenSSL Project]

  OpenSSL STATUS   Last modified at
  __   $Date: 2002/08/14 11:07:29 $

  DEVELOPMENT STATE

o  OpenSSL 0.9.8:  Under development...
o  OpenSSL 0.9.7-beta3: Released on July 30th, 2002
o  OpenSSL 0.9.7-beta2: Released on June 16th, 2002
o  OpenSSL 0.9.7-beta1: Released on June  1st, 2002
o  OpenSSL 0.9.6g: Released on August 9th, 2002
o  OpenSSL 0.9.6f: Released on August 8th, 2002
o  OpenSSL 0.9.6e: Released on July  30th, 2002
o  OpenSSL 0.9.6d: Released on May9th, 2002
o  OpenSSL 0.9.6c: Released on December  21st, 2001
o  OpenSSL 0.9.6b: Released on July   9th, 2001
o  OpenSSL 0.9.6a: Released on April  5th, 2001
o  OpenSSL 0.9.6:  Released on September 24th, 2000
o  OpenSSL 0.9.5a: Released on April  1st, 2000
o  OpenSSL 0.9.5:  Released on February  28th, 2000
o  OpenSSL 0.9.4:  Released on August09th, 1999
o  OpenSSL 0.9.3a: Released on May   29th, 1999
o  OpenSSL 0.9.3:  Released on May   25th, 1999
o  OpenSSL 0.9.2b: Released on March 22th, 1999
o  OpenSSL 0.9.1c: Released on December  23th, 1998

  [See also http://www.openssl.org/support/rt2.html]

  RELEASE SHOWSTOPPERS

o BN_mod_mul verification fails for mips3-sgi-irix
  unless configured with no-asm

  AVAILABLE PATCHES

o 

  IN PROGRESS

o Steve is currently working on (in no particular order):
ASN1 code redesign, butchery, replacement.
OCSP
EVP cipher enhancement.
Enhanced certificate chain verification.
Private key, certificate and CRL API and implementation.
Developing and bugfixing PKCS#7 (S/MIME code).
Various X509 issues: character sets, certificate request extensions.
o Geoff and Richard are currently working on:
ENGINE (the new code that gives hardware support among others).
o Richard is currently working on:
UI (User Interface)
UTIL (a new set of library functions to support some higher level
  functionality that is currently missing).
Shared library support for VMS.
Kerberos 5 authentication
Constification
OCSP

  NEEDS PATCH

o  0.9.8-dev: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not
   handle ECCdraft cipher suites correctly.

o  apps/ca.c: Sign the certificate? - n creates empty certificate file

o  OpenSSL STATUS is never up-to-date.

  OPEN ISSUES

o  The Makefile hierarchy and build mechanism is still not a round thing:

   1. The config vs. Configure scripts
  It's the same nasty situation as for Apache with APACI vs.
  src/Configure. It confuses.
  Suggestion: Merge Configure and config into a single configure
  script with a Autoconf style interface ;-) and remove
  Configure and config. Or even let us use GNU Autoconf
  itself. Then we can avoid a lot of those platform checks
  which are currently in Configure.

o  Support for Shared Libraries has to be added at least
   for the major Unix platforms. The details we can rip from the stuff
   Ralf has done for the Apache src/Configure script. Ben wants the
   solution to be really simple.

   Status: Ralf will look how we can easily incorporate the
   compiler PIC and linker DSO flags from Apache
   into the OpenSSL Configure script.

   Ulf: +1 for using GNU autoconf and libtool (but not automake,
which apparently is not flexible enough to generate
libcrypto)

  WISHES

o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
   where the callback function can request that the function be aborted.
   [Gregory Stark [EMAIL PROTECTED], [EMAIL PROTECTED]]

o  SRP in TLS.
   [wished by:
Dj [EMAIL PROTECTED], Tom Wu [EMAIL PROTECTED],
Tom Holroyd [EMAIL PROTECTED]]

   See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
   as well as http://www-cs-students.stanford.edu/~tjw/srp/.

   Tom Holroyd tells us there is a SRP patch for OpenSSH at
   http://members.tripod.com/professor_tom/archives/, that could
   be useful.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem decrypting a pkcs7 structure

[Massimiliano Pala]

Vadim Fedukovich wrote:
[...]

It's easy to see PKCS7_decrypt() does X509_check_private_key(certificate, key)
and then PKCS7_dataDecode()

One could also read PKCS7_dataDecode() source to see decryption certificate
will only be used to match issuer and serial number with that of each
recipient info from enveloped data, so your code should work fine
with PKCS7_decrypt() replaced


Indeed I had tried also using directly the PKCS7_dataDecode() but I got
a core dump as well...

Thanks for the hint on the PKCS7_decrypt(), however should't we add some 
checking on the passed parameters so as to avoid unsafe code from
core dumping ?

--

C'you,

	Massimiliano Pala

--o-
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
 [EMAIL PROTECTED]
http://www.openca.orgTel.:   +39 (0)59  270  094
http://openca.sourceforge.netMobile: +39 (0)347 7222 365


smime.p7s
Description: S/MIME Cryptographic Signature