R: PKCS12_parse problem

2002-10-25 Thread Marco Donati 
Well... the application is actually an intermediate library, so every 
''cryptographic'' operation is enclosed between
OpenSSL_add_all_algorithms()...EVP_cleanup() calls.

There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and 
vice versa, there are no EVP_cleanup() calls without the initial 
OpenSSL_add_all_algorithms().

Are you saying that this is not enough and that the library should call 
OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ?
This could be  not straightforward

Thanks in advance


 -Messaggio originale-
 Da: Dr. Stephen Henson [mailto:steve;openssl.org] 
 Inviato: mercoledì 23 ottobre 2002 18.14
 A: [EMAIL PROTECTED]
 Oggetto: Re: PKCS12_parse problem
 
 
 On Wed, Oct 23, 2002, Marco Donati wrote:
 
  Adding OpenSSL_add_all_ciphers() or 
 OpenSSL_add_all_digests() doesn't help.
  
  If we comment out the OpenSSL_add_all_algorithms() call, we 
 get the ''correct'' error:
  
  
  5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown 
 digest algorithm:p12_mutl.c:80:
  5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac 
 generation error:p12_mutl.c:105:
  5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify 
 failure:p12_kiss.c:121:
  
  
  If we put the OpenSSL_add_all_algorithms() back in the code 
 we get the ''unexplained'' error:
  
  
  5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80:
  5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105:
  5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121:
  
  
  Let me underline again some facts:
  
  1) the first call to PKCS12_parse is ok
  
  2) the PKCS12_parse calls starting from the second reports 
 the error above
  
  3) if we restart the application we have the same behavior 
 (first call OK, then errors)
  
  4) the error happens only with OpenSSL 0.9.6g, NOT with 
 OpenSSL 0.9.6c (we haven't tried intermediate versions)
  
  5) with openSSL 0.9.6g we get ''similar'' (related?) error 
 in calls like
  
 Are you calling EVP_cleanup() in between calls?
 
 You should really only call OpenSSL_add_all_algorithms() once 
 on application
 startup and EVP_cleanup() when it shuts down.
 
 Steve.
 --
 Dr. Stephen Henson  [EMAIL PROTECTED]
 OpenSSL Project http://www.openssl.org/~steve/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: R: PKCS12_parse problem

2002-10-25 Thread Dr. Stephen Henson 
On Fri, Oct 25, 2002, Marco Donati wrote:

 Well... the application is actually an intermediate library, so every 
''cryptographic'' operation is enclosed between
 OpenSSL_add_all_algorithms()...EVP_cleanup() calls.
 
 There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and 
vice versa, there are no EVP_cleanup() calls without the initial 
OpenSSL_add_all_algorithms().
 
 Are you saying that this is not enough and that the library should call 
OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ?
 This could be  not straightforward
 

Well let me explain a bit...

OpenSSL has an internal global table of supported algorithms (digests and ciphers).
Certain operations such as PKCS12_parse() lookup digests and ciphers from this
table so if it can't find one it gives the error you are seeing.

Now addding and removing all ciphers whenever you use an OpenSSL command is
not really recommended, it will repeatedly rebuild the table and it is not
thread safe. One thread could access a partially complete table.

So ideally you should only build the table in a single threaded context before
calling any OpenSSL functions and clean it up only after no further calls will
be made.

However one added complication is that a change was made to OpenSSL 0.9.6g
which avoids a problem of duplicate calls to OpenSSL_add_all_algorithms()
creating duplicate table entries by only making the first call work. This
has a problem because EVP_cleanup() doesn't reset the flag so effectively
only the first call to OpenSSL_add_all_algorithms() works. This isn't what
earlier 0.9.6X did and this will be fixed for 0.9.6h. You can get the old
baheviour by deleting the relevant lines from OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digest().

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]