Re: non-blocking problem
On Tue, Apr 27, 2010 at 5:48 PM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Apr 27, 2010, piper.guy1 wrote: Hi again, I'm trying to follow the instructions in the OpenSSL reference book, and their example code from their site for setting a socket to 'non-blocking'. Before I made any changes, I was working with good code that was making secure connections with no problems. Essentially: bio = BIO_new_connect(connect_str); BIO_do_connect(bio); ssl = SSL_new(ctx); SSL_set_bio(ssl, bio, bio); SSL_connect(ssl); From the example code, it seemed easy enough to call 'SSL_get_rfd() using the SSL object to get the file descriptor in order to use fcntl() to change the socket to non-blocking. However when I did this, calls to SSL_get_rfd() always return -1. Reading the function description docs, SSL_get_rfd() will return -1 if the BIO is not suitable for file descriptors. The example code doesn't show how their BIO SSL objects were created, and there's no other reference or information on what they mean on how to make them 'suitable'. So, I tried another approach. I created a socket the convention way and did a connect, followed by: bio = BIO_new_socket(sd, BIO_CLOSE); ssl = SSL_new(ctx) ; SSL_set_bio(ssl, bio, bio); SSL_connect(ssl); which also workeduntil I called SSL_get_rfd() after I created the SSL object, which again returned -1. What am I doing wrong? How do you make a BIO object for file descriptors suitable? Well I didn't write that suitable phrase. I'm not sure why you're getting the -1 return does ERR_print_errors_fp(stderr) give anything useful? In the second example you can use the pass descriptor sd for the purpose: all the following calls do is associate it with the SSL structure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org Steve and all, Embarrassingly, after looking at my code, I wasn't quite doing what I said I was doing. I was making the call to SSL_get_rfd() BEFORE calling SSL_connect(). Once I called SSL_get_rfd() after SSL_connect() it worked like a charm. thanx /carl h. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is it not possible to decrypt partial AES messages?
Hello, Here is some example code of me trying to decrypt a partial AES message. It doesn't work.. is there a way I can do something like this? It only works if I call DecryptMessage() with the entire encrypted string. Why? Thanks!! #include openssl/evp.h #include iostream #include string using namespace std; #pragma comment (lib, libeay32MDd.lib) EVP_CIPHER_CTX enCTX, deCTX; int blockSize=128; string DecryptMessage(const string message) { try { int p_len = message.length(), f_len = 0; unsigned char* plaintext = (unsigned char*)malloc(p_len); if(!EVP_DecryptInit_ex(deCTX, NULL, NULL, NULL, NULL)) cerr ERROR in EVP_DecryptInit_ex endl; if(!EVP_DecryptUpdate(deCTX, plaintext, p_len, (unsigned char*)message.data(), message.length())) cerr ERROR in EVP_DecryptUpdate endl; if(!EVP_DecryptFinal_ex(deCTX, plaintext+p_len, f_len)) cerr ERROR in EVP_DecryptFinal_ex endl; return string((char*)plaintext, p_len + f_len-1); } catch(...) { return message; } } string EncryptMessage(const string message) { try { // max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE bytes int c_len = message.length() + blockSize; unsigned char *ciphertext = (unsigned char*)malloc(c_len); if(!EVP_EncryptInit_ex(enCTX, NULL, NULL, NULL, NULL)) cerr ERROR in EVP_EncryptInit_ex endl; // update ciphertext, c_len is filled with the length of ciphertext generated if(!EVP_EncryptUpdate(enCTX, ciphertext, c_len, (unsigned char*)message.data(), message.length()+1)) cerr ERROR in EVP_EncryptUpdate endl; // update ciphertext with the final remaining bytes int f_len = 0; if(!EVP_EncryptFinal_ex(enCTX, ciphertext+c_len, f_len)) cerr ERROR in EVP_EncryptFinal_ex endl; return string((char*)ciphertext, c_len + f_len); } catch(...) { return message; } } int main() { // ssl init const EVP_CIPHER* c = EVP_aes_128_cbc(); unsigned char key[32], iv[32]; string passphrase=test; string salt=12345678; int rounds=5; EVP_BytesToKey(c, EVP_sha1(), (unsigned char*)salt.data(), (unsigned char*)passphrase.data(), passphrase.length(), rounds, key, iv); EVP_CIPHER_CTX_init(deCTX); EVP_DecryptInit_ex(deCTX, c, NULL, key, iv); EVP_CIPHER_CTX_init(enCTX); EVP_EncryptInit_ex(enCTX, c, NULL, key, iv); // trying to encrypt and decrypt string plaintext = 015this is a test!; cout plaintext: plaintext endl; string ciphertext = EncryptMessage(plaintext); cout ciphertext: ciphertext endl; string header = ciphertext.substr(0, 7); cout header: header endl; string decrypted_header = DecryptMessage(header); cout decrypted header: decrypted_header endl; }
RE: Is it not possible to decrypt partial AES messages?
Christina Penn wrote: Here is some example code of me trying to decrypt a partial AES message. It doesn't work.. is there a way I can do something like this? It only works if I call DecryptMessage() with the entire encrypted string. Why? Your DecryptMessage function is specifically designed to require the entire encrypted string: if(!EVP_DecryptFinal_ex(deCTX, plaintext+p_len, f_len)) cerr ERROR in EVP_DecryptFinal_ex endl; See how it calls EVP_DecryptFinal_ex? As EVP_DecryptInit should only be called at the very start to initialize a message, so EVP_DecryptFinal_ex should only be called at the very end to finish a complete message. In the middle, you should only be using EVP_DecryptUpdate. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org