Re: EVP errors!
This is not working... I have just done a hex dump and the key still bears no resemblence to the key reported by the command lineis it because i have version 0.9.8k of the SDK and 0.9.8g of the command line? Dr. Stephen Henson wrote: On Mon, Aug 10, 2009, MusicAndy wrote: The Key looks completely different in command line to my program. Why would this be the case when i am calling the bytes to key function I am using a password of 1 therefore in the C++ do I need to do the same.. do I need to pad out the password in the C++? Help :( The key from EVP_BytesToKey() is in hex format so you need to do a hex dump of it. You don't need to pad out the password a standard null terminated string is fine. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://www.nabble.com/EVP-errors%21-tp24898590p24913177.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: EVP errors!
GOT IT WORKING!! WOOHOO! (open up the champagne!) Now I just need to get it working with salt (maybe with a tequilla and lemon) MusicAndy wrote: This is not working... I have just done a hex dump and the key still bears no resemblence to the key reported by the command lineis it because i have version 0.9.8k of the SDK and 0.9.8g of the command line? Dr. Stephen Henson wrote: On Mon, Aug 10, 2009, MusicAndy wrote: The Key looks completely different in command line to my program. Why would this be the case when i am calling the bytes to key function I am using a password of 1 therefore in the C++ do I need to do the same.. do I need to pad out the password in the C++? Help :( The key from EVP_BytesToKey() is in hex format so you need to do a hex dump of it. You don't need to pad out the password a standard null terminated string is fine. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://www.nabble.com/EVP-errors%21-tp24898590p24913748.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Des3 and the salt option
Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off and then read the next 8 bytes of data as the salt encryption? -- View this message in context: http://www.nabble.com/Des3-and-the-salt-option-tp24914436p24914436.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Des3 and the salt option
Also, do I need to strip out these salt characters in my input buffer? The reason i ask is that it is decrypting most of the file but leaves this at the top (if you see the rest of this string is an xml header) ›³žšb+pÙ\ªú6*ýÑ.Ë€ÆÑErsion=1.0 encoding=UTF-8? MusicAndy wrote: Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off and then read the next 8 bytes of data as the salt encryption? -- View this message in context: http://www.nabble.com/Des3-and-the-salt-option-tp24914436p24914925.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Des3 and the salt option
On Tue, Aug 11, 2009, MusicAndy wrote: Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off and then read the next 8 bytes of data as the salt encryption? Well it's a salt value. You pass that to EVP_BytesToKey(). The data following the salt is the encrypted stream so you pass that to EVP_DecryptUpdate() or similar. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Des3 and the salt option
So Steve, do I strip out the salted__ characters plus the following 8 bits? Dr. Stephen Henson wrote: On Tue, Aug 11, 2009, MusicAndy wrote: Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off and then read the next 8 bytes of data as the salt encryption? Well it's a salt value. You pass that to EVP_BytesToKey(). The data following the salt is the encrypted stream so you pass that to EVP_DecryptUpdate() or similar. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://www.nabble.com/Des3-and-the-salt-option-tp24914436p24916632.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Des3 and the salt option
On Tue, Aug 11, 2009, MusicAndy wrote: So Steve, do I strip out the salted__ characters plus the following 8 bits? If by strip out you mean, don't try to decrypt them and if by 8 bits you mean 8 bytes then yes ;-) Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Des3 and the salt option
Furthermore, why when it is decrypting does it appear to be overwritting with these characters ?xml version=1.0 encoding=UTF-8 ? MusicAndy wrote: So Steve, do I strip out the salted__ characters plus the following 8 bits? Dr. Stephen Henson wrote: On Tue, Aug 11, 2009, MusicAndy wrote: Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off and then read the next 8 bytes of data as the salt encryption? Well it's a salt value. You pass that to EVP_BytesToKey(). The data following the salt is the encrypted stream so you pass that to EVP_DecryptUpdate() or similar. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://www.nabble.com/Des3-and-the-salt-option-tp24914436p24916803.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Des3 and the salt option
ALL SORTED NOW :jumping: :handshake::clap: Many thanks for your help Steve! :) Furthermore, why when it is decrypting does it appear to be overwritting with these characters ?xml version=1.0 encoding=UTF-8 ? So Steve, do I strip out the salted__ characters plus the following 8 bits? On Tue, Aug 11, 2009, MusicAndy wrote: Hi folks. Well almost got things to work the way i want to :jumping: One more question. The salt format of a file in DES3. I notice that the file that has been encrypted with the use of salt has Salted__ followed by bytes of data. If i read this from a stream, do i strip the Salted__ part off and then read the next 8 bytes of data as the salt encryption? Well it's a salt value. You pass that to EVP_BytesToKey(). The data following the salt is the encrypted stream so you pass that to EVP_DecryptUpdate() or similar. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://www.nabble.com/Des3-and-the-salt-option-tp24914436p24916949.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Certificate verification through Callback
Hi All I am using SSL_CTX_set_cert_verify_callback(ctx, callback, (void *)arg) API to register the callback function for certificate verification. However I need to set the mode (SSL_VERIFY_PEER) for SSL Context. I am using below code to set mode and callback function. Is it right way of doing it or there are someother way of seeting the mode (SSL_VERIFY_PEER). /* Set Mode*/ SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, NULL); /* Set callback */ SSL_CTX_set_cert_verify_callback(ctx, sslCertVerifyCallBack, (void *)this); Kamal Cisco, Bangalore India __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is Openssl vulnerable to Null-Prefix Attacks?
Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger _ Med Windows Live kan du ordna, redigera och dela med dig av dina foton. http://www.microsoft.com/sverige/windows/windowslive/products/photo-gallery-edit.aspx
Help!!!
Hi, I am new to OpenSSL and I was going through the following post. http://marc.info/?l=openssl-usersm=112774769218757w=2 Well I want achieve a similar thing. I want to reduce the per connection memory usage of OpenSSL. Now, I am facing a few issues : *i) Connecting a client to the server.* I started an OpenSSL server (openssl s_server -accept 9000 -cert server.pem ) and created a certificate on my own using the /etc/pki/tls/certs/Makefile. Now, as soon as I connect a client with the server I get some return codes like, Return Code : 18(self signed certificate) and then the server and client stay as it is. If I try connecting another client to this server I get no response. Is it normal? *ii) Connecting multiple clients to the server.* I havn't been able to achieve this, yet. But I think to see the memory usage per connection I should do that. Any ideas? *iii) To see the memory usage per connection.* I have read in some earlier that users have done the same thing. Could anyone tell me what exactly should we use to memory profile OpenSSL. I dont think ps or top would be a very good idea. Is it? Can I have some pointers? Thanks and regards, Vishal Saraswat
Noticed something in the openssl-1.0.0 20090811 SNAPshot
First Time I have seem Cannot find path to openssl/engines/ . In FreeBSD-7.2 and64 it is a show stopper. In the old BSDI BSD/OS 4.3.X just create directory and away you go. Suggestion: Can the path to openssl/engines/ point ot path to openssl/lib/ after all only .so's are being installed. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! The fool says in his heart, There is no God. They are corrupt, and their ways are vile; there is no one who does good. - Ps 53:1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Hi, I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NSS is the worst. If anyone disagrees, please explain why! HTH Regards, Serge Fonville On Tue, Aug 11, 2009 at 9:35 AM, Roger No-Spamroger_no_s...@hotmail.com wrote: Recently there has been some discussion on th Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger kolla in resten av Windows LiveT. Inte bara e-post - Windows LiveT är mycket mer än din inkorg. Mer än bara meddelanden __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Recently there has been some discussion on th Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NSS is the worst. Have you read this? http://it.slashdot.org/comments.pl?threshold=-1mode=flatcommentsort=0op=Changesid=1325051 HTH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Is Openssl vulnerable to Null-Prefix Attacks?
When I read through the null prefix attack paper I took it to mean that browser and certificate vendors were not doing an adequate job of verifying domain names. There's nothing inherently wrong with using counted strings (actually that is a step in the right direction IMHO). The problem is that browsers are assuming that a Pascal string is equivalent to a null-terminated string. --Will -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Serge Fonville Sent: Tuesday, August 11, 2009 10:51 AM To: openssl-users@openssl.org Subject: Re: Is Openssl vulnerable to Null-Prefix Attacks? Hi, I read the PDF and my first question would be. How is this relevant to openssl, since it is normally only used for creating and signing certificates It is more up to a brower to do the proper checking; That's why the PDF states While many SSL/TLS implemntations fall victim to this, Mozila's NSS is the worst. If anyone disagrees, please explain why! HTH Regards, Serge Fonville On Tue, Aug 11, 2009 at 9:35 AM, Roger No-Spamroger_no_s...@hotmail.com wrote: Recently there has been some discussion on th Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger kolla in resten av Windows LiveT. Inte bara e-post - Windows LiveT är mycket mer än din inkorg. Mer än bara meddelanden __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is Openssl vulnerable to Null-Prefix Attacks?
Roger No-Spam wrote: Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack?. The attack is not an attack against SSL/TLS, but against implementation of HTTPS (RFC 2818) , FTPS(RFC 4217) , ... Callers of the openssl library which were wrong can/were fixed without any change in openssl OTOH, openssl doesn't make life very easy for clients to compare a hostname against the content of a cert according to 2818. But there is a bug, try 'openssl x509 -text' with -BEGIN CERTIFICATE- MIIDQzCCAiugAwIBAgIGC106rLQUMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYT Ak5OMTEwLwYDVQQKDChFZGVsIEN1cmwgQXJjdGljIElsbHVkaXVtIFJlc2VhcmNo IENsb3VkMSUwIwYDVQQDDBxOb3RoZXJuIE5vd2hlcmUgVHJ1c3QgQW5jaG9yMB4X DTA5MDgwNTIwMzM1MloXDTE3MTAyMjIwMzM1MlowVDELMAkGA1UEBhMCTk4xMTAv BgNVBAoMKEVkZWwgQ3VybCBBcmN0aWMgSWxsdWRpdW0gUmVzZWFyY2ggQ2xvdWQx EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA rMkv3/hSj5nIM9FZJ0ou0nAL9RBAjKosq9DS7R9GKG0zR++hqrUjtIB304IYhbA2 wAajC6qMO2F+G9Sxvn3dlRCSVlmi/dbvwpJnBYmsXw0a0jlO5WlkNX6Gmo82BKJW utIWaB1X9iQmWDTBulhPqbYawEt8ofsZVlxMPUTS+x0CAwEAAaOBizCBiDAWBgNV HREEDzANggtsb2NhbGhvc3QAaDALBgNVHQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYB BQUHAwEwHQYDVR0OBBYEFDEAb4+NfTuIPD3/9tQHpeTMetx+MB8GA1UdIwQYMBaA FBJrJNJKaLehsBzNv9ZMzEBbf+BAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL BQADggEBAA3mVsQEaDLJKiJfDcLQONqVt9EPRGaRCm6RXIGHZ3mGlK3K99YSEeFc VIFuonJmr1agiXpNZuYjVqUNgXG86NPgvZtpWYLCUL4uvZ+QLLRSGeW+BGYY8U35 NE0hI4EsE9VN2FkIGm+xJ0C4VQ8dU3qu3vzgoJQxY2pwl+phzlEQiOaZ9SlNlIJ0 MFycxnAyoqgXMiNKTN0I7IfSGYoZKqSjmOhJpHGqqbZ2dvD9BiWyiROdYam3CqJg hHkVV5JifBsVATXUWPvgcS2N/Ec3hZ95ttwprut9xut7PD1IPE7twJgTEBY833d0 E4n20bhWVhXyil+F42/IqmRveucu6tc= -END CERTIFICATE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Redux and Resolved: Deconstructing OASIS Web Services Security SOAP Messages with OpenSSL utilities
For some reason I didn't get any newsfeeds after re-subscribing, so I can't really post to my earlier inquiry. I've figured this out. 1) Convert Key's CipherValue from base64-to-binary 2) rsautl against the Key's CipherValue.bin - gives binary version of the decoded key (uses the private key) 3) Convert the binary version of the decoded key to hex - this will be the -K for bulk operations (the shared secret) 4) Convert the Body's Cipher Value from base64-to-binary 5) Save off the first 16 bytes for the IV - converting to Hex (becomes the Initialization Vector) 6) Save off the remainder of the BodyCipherValue.bin (len-16 - this was where I messed up) 7) Decrypt with cipher -in BodyCipherValueRemainder.bin with -K and -iv values The -K is RSA encrypted with the public key, but the IV is in cleartext, prepended to the AES/bulk encrypted part. ___ Carlo Milono Director of Engineering TIBCO Software Inc. Direct: +1(650) 846-5152 mailto: cmil...@tibco.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org