Re: AES-256 CBC encrypt/decrypt usage problem
David, Thanks for taking out time to review my code and reply. 1) I agree that using sizeof was a blunder on my part. 2) I'm calling decode2 with rg_conf_buf_dup and rg_conf_buf_dup_2, second one being the output buffer. So I'm certain that I don't modify the input buffer (though I just zero out only the part of my output buffer due to sizeof thing). I was also wondering about the cipher block size. I was thinking of using 16 as block size, read the input buffer in chunks of block size one at a time, decrypt, copy and append to the output buffer. Do you think that would work ? Could I then use the buffer holding decrypted data in the decode2 function and get the original data back ? How can I get the size of decrypted buffer - strlen wouldn't work, I suppose ? Thanks, Kunal On Thu, May 20, 2010 at 8:38 PM, David Schwartz wrote: > > Kunal Sharma wrote: > > > void encode2(char *inbuf,char *outbuf) > { >unsigned char key32[] = "As different as chalk and cheese"; >unsigned char iv[] = "As dark as pitch"; > >AES_KEY aeskey; > >memset(outbuf, 0, sizeof(outbuf)); > >AES_set_encrypt_key(key32, 32*8, &aeskey); > >AES_cbc_encrypt(inbuf, outbuf, strlen(inbuf), &aeskey, iv, > AES_ENCRYPT); > >return; > } > > You can't mean 'sizeof(outbuf)' -- 'outbuf' is a *pointer* to the output > buffer. What does the size of that pointer have to do with anything? > > void decode2(char *inbuf,char *outbuf,int len) > { >unsigned char key32[] = "As different as chalk and cheese"; >unsigned char iv[] = "As dark as pitch"; > >AES_KEY aeskey; > >memset(outbuf, 0, sizeof(outbuf)); > >AES_set_decrypt_key(key32, 32*8, &aeskey); > >AES_cbc_encrypt(inbuf, outbuf, len, &aeskey, iv, AES_DECRYPT); > >return; > } > > Same use of 'sizeof(outbuf)' where that makes no sense (what does the size > of the pointer to the output buffer have to do with anything?). Also, what > happens if the plaintext is not a precise multiple of the cipher block > size? > > It seems like you have picked a low-level encryption/decryption function > where you wanted a high-level one. > > Also, you have one amusing boner. Your 'decode2' function tries to zero the > output buffer, but actually only zeroes part of it. But you call it with > the > output buffer and input buffer the same! So you are actually erasing part > of > your input buffer before you use it! > > DS > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Base64 Decode Problem/Question
Hi All, I figured out my problem. The call to BIO_set_flags() wasn't correct. Replacing the sequence: : b64 = BIO_new(BIO_f_base64()); BIO_set_flags(bmem, BIO_FLAGS_BASE64_NO_NL); bio = BIO_push(b64, bmem); : with : b64 = BIO_new(BIO_f_base64()); bio = BIO_push(b64, bmem); BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); : fixed the problem. Regards, ...doug --- On Thu, 5/20/10, Doug Kehn wrote: > From: Doug Kehn > Subject: Re: Base64 Decode Problem/Question > To: openssl-users@openssl.org > Date: Thursday, May 20, 2010, 3:37 PM > Hi Bruno, > > --- On Thu, 5/20/10, Bruno Vetel > wrote: > > > From: Bruno Vetel > > Subject: Re: Base64 Decode Problem/Question > > To: openssl-users@openssl.org > > Date: Thursday, May 20, 2010, 1:43 PM > > Doug Kehn > > writes: > > > > > Hi All, > > > > > Hi > > > > \n is not base64. Try with echo -n > > > > I removed the '\n' and got the same result. > > > (Sorry for the double post. I had mailer problems and > didn't think the first attempt went out.) > > > > > > I'm trying to decode a base64 encoded string. > > The problem I'm running in to is that BIO_read() > always > > returns 0. BIO_should_retry() and BIO_should_read() > > also return 0 when BIO_read() returns 0. If the > base64 > > encoded string is shortened, BIO_read returns the > decoded > > information. I'm using OpenSSL 0.9.8g 19 Oct 2007 > on > > Ubuntu 9.04. > > > > > > Any suggestions on what I'm doing wrong? > > > > > > Thanks, > > > ...doug > > > > > > ---8<- > > > > > > /* > > > * Compiled with: gcc -Wall -lssl > > > */ > > > > > > #include > > > #include > > > #include > > > #include > > > > > > int main(int argc, char **argv) > > > { > > > #if 1 > > > /* > > > * This does not work > > > */ > > > char *message = > > > "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0byBjb21lIHRvIHRoZSBhaWQgb2YgdGhlaXIgY291bnRyeS4NClRoZSBxdWljayBicm93biBmb3gganVtcGVkIG92ZXIgdGhlIGxhenkgZG9nJ3MgYmFjayAwMTIzNDU2Nzg5Lg==\n"; > > > #endif > > > #if 0 > > > /* > > > * This shortened version > > works > > > */ > > > char *message = > > "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0by==\n"; > > > #endif > > > > > > BIO *b64, *bio, *bmem; > > > char *buf; > > > int i = strlen(message) + 25; > > > > > > buf = malloc(i); > > > if (!buf) { > > > printf("malloc > > fail, %m\n"); > > > return -1; > > > } > > > > > > bmem = > > BIO_new_mem_buf((void*)message, -1); > > > b64 = BIO_new(BIO_f_base64()); > > > BIO_set_flags(bmem, > > BIO_FLAGS_BASE64_NO_NL); > > > bio = BIO_push(b64, bmem); > > > i = BIO_read(bio, (void*)buf, i); > > > buf[i] = '\0'; > > > BIO_free_all(bio); > > > > > > printf("%s\n%s\n", message, buf); > > > > > > return 0; > > > } > > > > > > > > > > > > __ > > > OpenSSL Project > > > > http://www.openssl.org > > > User Support Mailing List > > openssl-users@openssl.org > > > Automated List Manager > > > > majord...@openssl.org > > > __ > > OpenSSL Project > > > > http://www.openssl.org > > User Support Mailing List > > openssl-users@openssl.org > > Automated List Manager > > > > majord...@openssl.org > > > > > > __ > OpenSSL Project > > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Question about SSL_load_client_CA_file()
> From: owner-openssl-us...@openssl.org On Behalf Of cschwaderer > Sent: Thursday, 20 May, 2010 15:33 > I created a CA file that is a simple Linux cat of two certificates. > The file path and name of caFile = "/etc/myClientCAs". > > Then I execute SSL_load_client_CA_file(caFile); > [and] struct_st->num ... says 1 instead of 2. > > Is there any special requirements to the file being passed in to the > SSL_load_client_CA_file() call? Or can it be a simple > concatination of two > base64 PEM certificates in order for this call to recognize > that there are > two certificates in this file? > Just a concatenation. To be abundantly clear, like: -BEGIN CERTIFICATE- base64cert usually several lines -END CERTIFICATE- -BEGIN CERTIFICATE- base64cert ditto -END CERTIFICATE- If you want you can even do: othergarbage may be multiple lines -BEGIN CERTIFICATE- base64cert usually several lines -END CERTIFICATE- othergarbage ditto -BEGIN CERTIFICATE- base64cert ditto -END CERTIFICATE- othergarbage ditto And the same answer for _load_verify_(,file,) presumably also relevant per your prior message. But different for _load_verify_(,,dir). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: CA file with multiple certificates, only the 1st one in the file works
> From: owner-openssl-us...@openssl.org On Behalf Of cschwaderer > Sent: Wednesday, 19 May, 2010 18:50 > I'm having a problem with an OpenSSL client and server > application I wrote. > Client 1 uses certificate A and client 2 uses certificate B. > > I create a CA file on the server that contains A followed by > B. In this c > ase, client 1 works correctly and client 2 does not. If I > change the CA file > such that the file contains B followed by A, now client 2 > works correctly > and client 1 does not. > Are the client certs self-signed, or do you mean the clients have (entity) certs *signed* by A and B respectively? If the latter, are A and B for the same CA, in particular the same subject-name? If so, do the child certs use AKID? If not, openssl won't be able to chain correctly. It only looks for one parent, and doesn't handle ambiguous cases. Alternatively, do selfsigned=entity A and B have the same (subject and issuer) name? That would be bogus, and not work. Exactly what error(s) do you get? See below. > I don't know if this is a problem on the server or the > client. My first > thought is that it's a server problem and for some reason > it's only using > the first certificate in the CA file (but I'm using the > SSL_CTX_set_client_CA_list() call). > > It could be something I'm not doing on the client side where > when the server > sends the CAs to the client, maybe it's only looking at the first > certificate and not seeing its certificate? > The client never sees the *certs* accepted by the server. The server optionally sends a list of CA/signer *names*, which some clients like IE and FF use to choose among multiple own certs. But openssl client just sends what was specified. (Unless there's a callback for this I haven't noticed.) So if you control both ends _set_client_CA_list is useless. > Here is the server code block: > // Store the cert file name and path > if (strlen(sslCertFile) > sizeof(rpdCertFile)) { > throw new SSLServerError("Server cert file path > too large!", > -1); > } > strcpy(rpdCertFile, sslCertFile); > Nit: this (and two more like it) isn't actually safe. strcpy(d,s) copies strlen(s) bytes PLUS the null-byte terminator, so you need to check strlen()+1 > sizeof, or more trickily strlen() >= sizeof. But it is extremely unlikely this relates to your current problem. > if ((err = SSL_CTX_set_cipher_list(ctx, > SRVR_CIPHER_LIST) != 1)) { > MESSAGE("***Error %d setting cipher list", err); > SSL_CTX_free(ctx); > throw new SSLServerError("Error setting cipher > list", err); > } > And many more like it: most openssl routines return only a summary success/failure, either outright as 1/0 or maybe 1/0/-few, or implicitly as pointer/null. In most cases, there is more detailed and useful information in the "error stack", and you should display it. The simplest way is just call ERR_print_errors_fp, usually on stderr. If you want to rework it into some other logging/reporting scheme, which it appears you may have, use ERR_get_error (in a loop until zero!), ERR_error_string, and friends. The major exception is protocol routines (SSL_connect,accept,read,write,etc) which fail due to the underlying socket I/O, or are nonblocking and not currently ready/done/etc (which is not really an error). > // Set the list of trusted CAs based on the file > and/or directory > // provided. The NULL is the CA directory if the > caller wishes to > // separate the file name from the directory path. This comment is very confused. _load_verify_locations can specify a file (including path) which contains multiple certs; or a directory (including path) which contains multiple *files* with symlinks from their (subject) hashes, each containing a cert. These are different formats, although serving the same purpose. > DBG("SSLSrvr: Trusted CAs file we're using is [%s]", > rpdCAFile); > if (SSL_CTX_load_verify_locations(ctx, rpdCAFile, NULL) < 1) { > MESSAGE("***ERROR verifying CA file/dir location > [%s][%s]", > rpdCAFile, NULL); > SSL_CTX_free(ctx); > throw new SSLServerError("Error verifying CA > locations", errno); > } > You're not "verifying CA locations", you're specifying the location(s) of CA cert(s) which will be used to verify the peer (here client). If your MESSAGE() is a *printf wrapper or otherwise (sufficiently) *printf like, giving %s a NULL pointer is NOT safe. *Some* C libraries (notably at least some versions of glibc) are nice about this common error, but some aren't. > // Load the list of acceptable CAs to send to the > client when the > // SSL connection request comes in from the SSL client. This comment on the other hand is exactly right. You don't show the actual connection logic. Or any detail about the actual errors/problems. Server
RE: Base64 Decode Problem/Question
> From: owner-openssl-us...@openssl.org On Behalf Of Bruno Vetel > Sent: Thursday, 20 May, 2010 13:44 > Doug Kehn writes: > \n is not base64. Try with echo -n > > I'm trying to decode a base64 encoded string. The problem > I'm running in to is that BIO_read() always returns 0. > [...] If the base64 encoded string is shortened [it works] Other way. The base64 concept allows linebreaks, and other whitespace -- that's exactly one of the 'transport damage' it was created to cope with. Original PEM required linebreaks at *exactly* 64 characters, and MIME requires *up to* 76. BIO_f_base64() output=encode does 64, and it appears to me input accepts up to 76 and maybe 80. For 'no limit' use BIO_FLAGS_BASE64_NO_NULL as per the man page. Or for all-in-memory, just call EVP_DecodeBlock directly. You don't really need all the BIO framework stuff. (Or you can write your own b64decode in about 10-20 lines.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question about SSL_load_client_CA_file()
I created a CA file that is a simple Linux cat of two certificates. The file path and name of caFile = "/etc/myClientCAs". Then I execute SSL_load_client_CA_file(caFile); If I look at the STACK_OF(X509_NAME) that gets returned from this call, I believe it resolves to struct_st. so, if I look at the struct_st->num (which I assume should be the number of certificates it found), it says 1 instead of 2. Is there any special requirements to the file being passed in to the SSL_load_client_CA_file() call? Or can it be a simple concatination of two base64 PEM certificates in order for this call to recognize that there are two certificates in this file? -- View this message in context: http://old.nabble.com/Question-about-SSL_load_client_CA_file%28%29-tp28625931p28625931.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Base64 Decode Problem/Question
Hi Bruno, --- On Thu, 5/20/10, Bruno Vetel wrote: > From: Bruno Vetel > Subject: Re: Base64 Decode Problem/Question > To: openssl-users@openssl.org > Date: Thursday, May 20, 2010, 1:43 PM > Doug Kehn > writes: > > > Hi All, > > > Hi > > \n is not base64. Try with echo -n > I removed the '\n' and got the same result. (Sorry for the double post. I had mailer problems and didn't think the first attempt went out.) > > > I'm trying to decode a base64 encoded string. > The problem I'm running in to is that BIO_read() always > returns 0. BIO_should_retry() and BIO_should_read() > also return 0 when BIO_read() returns 0. If the base64 > encoded string is shortened, BIO_read returns the decoded > information. I'm using OpenSSL 0.9.8g 19 Oct 2007 on > Ubuntu 9.04. > > > > Any suggestions on what I'm doing wrong? > > > > Thanks, > > ...doug > > > > ---8<- > > > > /* > > * Compiled with: gcc -Wall -lssl > > */ > > > > #include > > #include > > #include > > #include > > > > int main(int argc, char **argv) > > { > > #if 1 > > /* > > * This does not work > > */ > > char *message = > "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0byBjb21lIHRvIHRoZSBhaWQgb2YgdGhlaXIgY291bnRyeS4NClRoZSBxdWljayBicm93biBmb3gganVtcGVkIG92ZXIgdGhlIGxhenkgZG9nJ3MgYmFjayAwMTIzNDU2Nzg5Lg==\n"; > > #endif > > #if 0 > > /* > > * This shortened version > works > > */ > > char *message = > "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0by==\n"; > > #endif > > > > BIO *b64, *bio, *bmem; > > char *buf; > > int i = strlen(message) + 25; > > > > buf = malloc(i); > > if (!buf) { > > printf("malloc > fail, %m\n"); > > return -1; > > } > > > > bmem = > BIO_new_mem_buf((void*)message, -1); > > b64 = BIO_new(BIO_f_base64()); > > BIO_set_flags(bmem, > BIO_FLAGS_BASE64_NO_NL); > > bio = BIO_push(b64, bmem); > > i = BIO_read(bio, (void*)buf, i); > > buf[i] = '\0'; > > BIO_free_all(bio); > > > > printf("%s\n%s\n", message, buf); > > > > return 0; > > } > > > > > > > __ > > OpenSSL Project > > http://www.openssl.org > > User Support Mailing List > openssl-users@openssl.org > > Automated List Manager > > majord...@openssl.org > __ > OpenSSL Project > > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Base64 Decode Problem/Question
Doug Kehn writes: > Hi All, > Hi \n is not base64. Try with echo -n Bruno > I'm trying to decode a base64 encoded string. The problem I'm running in to > is that BIO_read() always returns 0. BIO_should_retry() and > BIO_should_read() also return 0 when BIO_read() returns 0. If the base64 > encoded string is shortened, BIO_read returns the decoded information. I'm > using OpenSSL 0.9.8g 19 Oct 2007 on Ubuntu 9.04. > > Any suggestions on what I'm doing wrong? > > Thanks, > ...doug > > ---8<- > > /* > * Compiled with: gcc -Wall -lssl > */ > > #include > #include > #include > #include > > int main(int argc, char **argv) > { > #if 1 > /* >* This does not work >*/ > char *message = > "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0byBjb21lIHRvIHRoZSBhaWQgb2YgdGhlaXIgY291bnRyeS4NClRoZSBxdWljayBicm93biBmb3gganVtcGVkIG92ZXIgdGhlIGxhenkgZG9nJ3MgYmFjayAwMTIzNDU2Nzg5Lg==\n"; > #endif > #if 0 > /* >* This shortened version works >*/ > char *message = "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0by==\n"; > #endif > > BIO *b64, *bio, *bmem; > char *buf; > int i = strlen(message) + 25; > > buf = malloc(i); > if (!buf) { > printf("malloc fail, %m\n"); > return -1; > } > > bmem = BIO_new_mem_buf((void*)message, -1); > b64 = BIO_new(BIO_f_base64()); > BIO_set_flags(bmem, BIO_FLAGS_BASE64_NO_NL); > bio = BIO_push(b64, bmem); > i = BIO_read(bio, (void*)buf, i); > buf[i] = '\0'; > BIO_free_all(bio); > > printf("%s\n%s\n", message, buf); > > return 0; > } > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: print smime cipher
On Thu, May 20, 2010, Michael Strder wrote: > Rainer Giedat wrote: > > i have a hard time figuring out how i can print the cipher used to > > encrypt a smime encrypted mail. > > openssl smime -in test.eml -pk7out|openssl asn1parse > > Or with OpenSSL 1.0 in case S/MIME MUA sent CMS instead of PKCS#7: > > openssl cms -in test.eml -cmsout -outform pem|openssl asn1parse > That could be fooled by carefully crafted messages to fool parsers. Would be better if there was an option to print the cipher but currently there isn't. This is slightly better: openssl cms -cmsout -in test.eml -print -noout Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: print smime cipher
Rainer Giedat wrote: > i have a hard time figuring out how i can print the cipher used to > encrypt a smime encrypted mail. openssl smime -in test.eml -pk7out|openssl asn1parse Or with OpenSSL 1.0 in case S/MIME MUA sent CMS instead of PKCS#7: openssl cms -in test.eml -cmsout -outform pem|openssl asn1parse Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
print smime cipher
Hi list, i have a hard time figuring out how i can print the cipher used to encrypt a smime encrypted mail. I already rtfm of course, but could not find it. Is this possible with the openssl command line tool or do i really have to hack something by myself? Thank you, Rainer __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Base64 Decode Problem/Question
Hi All, I'm trying to decode a base64 encoded string. The problem I'm running in to is that BIO_read() always returns 0. BIO_should_retry() and BIO_should_read() also return 0 when BIO_read() returns 0. If the base64 encoded string is shortened, BIO_read returns the decoded information. I'm using OpenSSL 0.9.8g 19 Oct 2007 on Ubuntu 9.04. Any suggestions on what I'm doing wrong? Thanks, ...doug ---8<- /* * Compiled with: gcc -Wall -lssl */ #include #include #include #include int main(int argc, char **argv) { #if 1 /* * This does not work */ char *message = "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0byBjb21lIHRvIHRoZSBhaWQgb2YgdGhlaXIgY291bnRyeS4NClRoZSBxdWljayBicm93biBmb3gganVtcGVkIG92ZXIgdGhlIGxhenkgZG9nJ3MgYmFjayAwMTIzNDU2Nzg5Lg==\n"; #endif #if 0 /* * This shortened version works */ char *message = "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0by==\n"; #endif BIO *b64, *bio, *bmem; char *buf; int i = strlen(message) + 25; buf = malloc(i); if (!buf) { printf("malloc fail, %m\n"); return -1; } bmem = BIO_new_mem_buf((void*)message, -1); b64 = BIO_new(BIO_f_base64()); BIO_set_flags(bmem, BIO_FLAGS_BASE64_NO_NL); bio = BIO_push(b64, bmem); i = BIO_read(bio, (void*)buf, i); buf[i] = '\0'; BIO_free_all(bio); printf("%s\n%s\n", message, buf); return 0; } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Base64 Decode Problem
Hi All, I'm trying to decode a base64 encoded string. The problem I'm running in to is that BIO_read() always returns 0. BIO_should_retry() and BIO_should_read() also return 0 when BIO_read() returns 0. If the base64 encoded string is shortened, BIO_read returns the decoded information. I get this result using OpenSSL 0.9.8k (cross-compiled for a Blackfin processor) and OpenSSL 0.9.8g on Ubuntu 9.04. Any suggestions on what I'm doing wrong? Thanks, ...doug ---8<- /* * Compiled with: gcc -Wall -lssl */ #include #include #include #include int main(int argc, char **argv) { #if 1 /* * This does not work */ char *message = "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0byBjb21lIHRvIHRoZSBhaWQgb2YgdGhlaXIgY291bnRyeS4NClRoZSBxdWljayBicm93biBmb3gganVtcGVkIG92ZXIgdGhlIGxhenkgZG9nJ3MgYmFjayAwMTIzNDU2Nzg5Lg==\n"; #endif #if 0 /* * This shortened version works */ char *message = "Tm8gaXMgdGhlIHRpbWUgZm9yIGFsbCBnb29kIG1lbiB0by==\n"; #endif BIO *b64, *bio, *bmem; char *buf; int i = strlen(message); buf = malloc(i); if (!buf) { printf("malloc fail, %m\n"); return -1; } bmem = BIO_new_mem_buf((void*)message, -1); b64 = BIO_new(BIO_f_base64()); BIO_set_flags(bmem, BIO_FLAGS_BASE64_NO_NL); bio = BIO_push(b64, bmem); i = BIO_read(bio, (void*)buf, i); buf[i] = '\0'; BIO_free_all(bio); printf("%s\n%s\n", message, buf); return 0; } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: AES-256 CBC encrypt/decrypt usage problem
Kunal Sharma wrote: void encode2(char *inbuf,char *outbuf) { unsigned char key32[] = "As different as chalk and cheese"; unsigned char iv[] = "As dark as pitch"; AES_KEY aeskey; memset(outbuf, 0, sizeof(outbuf)); AES_set_encrypt_key(key32, 32*8, &aeskey); AES_cbc_encrypt(inbuf, outbuf, strlen(inbuf), &aeskey, iv, AES_ENCRYPT); return; } You can't mean 'sizeof(outbuf)' -- 'outbuf' is a *pointer* to the output buffer. What does the size of that pointer have to do with anything? void decode2(char *inbuf,char *outbuf,int len) { unsigned char key32[] = "As different as chalk and cheese"; unsigned char iv[] = "As dark as pitch"; AES_KEY aeskey; memset(outbuf, 0, sizeof(outbuf)); AES_set_decrypt_key(key32, 32*8, &aeskey); AES_cbc_encrypt(inbuf, outbuf, len, &aeskey, iv, AES_DECRYPT); return; } Same use of 'sizeof(outbuf)' where that makes no sense (what does the size of the pointer to the output buffer have to do with anything?). Also, what happens if the plaintext is not a precise multiple of the cipher block size? It seems like you have picked a low-level encryption/decryption function where you wanted a high-level one. Also, you have one amusing boner. Your 'decode2' function tries to zero the output buffer, but actually only zeroes part of it. But you call it with the output buffer and input buffer the same! So you are actually erasing part of your input buffer before you use it! DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AES-256 CBC encrypt/decrypt usage problem
Friends, This is the first time I'm using Openssl for some small job to encrypt and decrypt buffers for my application usage. My requirement is simple: 1) My application gets a buffer that needs to be encrypted. 2) My application gets a buffer that needs to be decrypted. This buffer can be exactly same as the one I get after encryption in step 1. Alternatively, I'll copy this in a file, save it to the disk, decrypt it using Openssl command line tools, encrypt again (using the same password as used in step 1) and feed it to the application. I should get what I originally had or with modifications I did. Here's the code I'm using: + function1() { //get the buffer *rg_conf_buf *..read from a file or anywhere else char *rg_conf_buf_dup=NULL; //buffer for encrypted data char *rg_conf_buf_dup_2=NULL; //buffer for decrypted data int rg_conf_len = strlen(rg_conf_buf); //int i=0; rg_conf_buf_dup = (char *)zalloc_e(rg_conf_len); rg_conf_buf_dup_2 = (char *)zalloc_e(rg_conf_len); memcpy(rg_conf_buf_dup,rg_conf_buf,rg_conf_len); //make copy of original buf rg_error(LCONSOLE, "\n%s : rg_conf buf size = %d\n", __FUNCTION__,rg_conf_len); //print the size //for (i=0;i
CA file with multiple certificates, only the 1st one in the file works
Hi, I'm having a problem with an OpenSSL client and server application I wrote. Client 1 uses certificate A and client 2 uses certificate B. I create a CA file on the server that contains A followed by B. In this c ase, client 1 works correctly and client 2 does not. If I change the CA file such that the file contains B followed by A, now client 2 works correctly and client 1 does not. I don't know if this is a problem on the server or the client. My first thought is that it's a server problem and for some reason it's only using the first certificate in the CA file (but I'm using the SSL_CTX_set_client_CA_list() call). It could be something I'm not doing on the client side where when the server sends the CAs to the client, maybe it's only looking at the first certificate and not seeing its certificate? If anyone can see what I'm missing to allow multiple certificates to work for a given server, I'm grateful for the help! Here is the server code block: if (SSL_library_init() != 1) { throw new SSLServerError("Error initializing SSL library!", -1); } // Store the cert file name and path if (strlen(sslCertFile) > sizeof(rpdCertFile)) { throw new SSLServerError("Server cert file path too large!", -1); } strcpy(rpdCertFile, sslCertFile); // Store the key file name and path if (strlen(sslKeyFile) > sizeof(rpdKeyFile)) { throw new SSLServerError("Server key file path too large!", -1); } strcpy(rpdKeyFile, sslKeyFile); // Store the CA file name and path if (strlen(sslCAFile) > sizeof(rpdCAFile)) { throw new SSLServerError("Server CA file path too large!", -1); } strcpy(rpdCAFile, sslCAFile); // Initialize the OpenSSL environment ERR_clear_error(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); //ERR_load_BIO_strings(); //ERR_load_SSL_strings(); // Create the server instance and context method = SSLv3_server_method(); //DBG("Returned method pointer = %p", method); if ((ctx = SSL_CTX_new(method)) == NULL) { throw new SSLServerError("Error creating SSL ctx object", errno); } DBG("SSLSrvr: Set valid ciphers list to [%s]", SRVR_CIPHER_LIST); if ((err = SSL_CTX_set_cipher_list(ctx, SRVR_CIPHER_LIST) != 1)) { MESSAGE("***Error %d setting cipher list", err); SSL_CTX_free(ctx); throw new SSLServerError("Error setting cipher list", err); } // Indicate the certificate file to be used DBG("SSLSrvr: Certificate file we're using is [%s]", rpdCertFile); if ((err = SSL_CTX_use_certificate_file(ctx, rpdCertFile, SSL_FILETYPE_PEM) != 1)) { MESSAGE("***ERROR %d setting cert file %s: %s", err, rpdCertFile, strerror(errno)); SSL_CTX_free(ctx); throw new SSLServerError("Error setting cert file", err); } #if 0 // Our private key doesn't contain any encrypted data // Load the password for the Private Key SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)KEY_PASSWD); #endif // Indicate the key file to be used DBG("SSLSrvr: Private key file we're using is [%s]", rpdKeyFile); if (SSL_CTX_use_PrivateKey_file(ctx, rpdKeyFile, SSL_FILETYPE_PEM) <= 0){ MESSAGE("***ERROR %d setting private key file %s: %s", err, rpdKeyFile, strerror(errno)); SSL_CTX_free(ctx); throw new SSLServerError("Error setting private key file", errno); } // Make sure the key and certificate file match if (!SSL_CTX_check_private_key(ctx)) { MESSAGE("***ERROR private key doesn't match the cert public key!"); SSL_CTX_free(ctx); throw new SSLServerError("Error setting private key file", errno); } // Set the list of trusted CAs based on the file and/or directory // provided. The NULL is the CA directory if the caller wishes to // separate the file name from the directory path. DBG("SSLSrvr: Trusted CAs file we're using is [%s]", rpdCAFile); if (SSL_CTX_load_verify_locations(ctx, rpdCAFile, NULL) < 1) { MESSAGE("***ERROR verifying CA file/dir location [%s][%s]", rpdCAFile, NULL); SSL_CTX_free(ctx); throw new SSLServerError("Error verifying CA locations", errno); } // Load the list of acceptable CAs to send to the client when the // SSL connection request comes in from the SSL client. DBG("SSLSrvr: Set the client CA list with file [%s]", rpdCAFile); SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(rpdCAFile)); // Se