[openssl.org #1633] Bug - MayBe
Hi, I'm trying to encrypt a serialized java file (test.ser) using OpenSSL. I've used the Runtime.getRuntime().exec function and i've passed to it the following string array : {"cmd.exe", "/c", "openssl smime -encrypt"} (it will create a new file : test1.ser) everything works fine. then i've used the openssl to decrypt test1.ser. it will create new file (test2.ser). For some reasons, test2.ser is not similar to test.ser (which must not), and test2.ser cannot be used with FileInputStream and ObjectInputStream to be deserialized using the readObject function. (It will fail on the construction of ObjectInputStream). Is it a bug? Any Help??? - Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail Hi,I'm trying to encrypt a serialized java file (test.ser) using OpenSSL. I've used the Runtime.getRuntime().exec function and i've passed to it the following string array : {"cmd.exe", "/c", "openssl smime -encrypt"}(it will create a new file : test1.ser)everything works fine. then i've used the openssl to decrypt test1.ser. it will create new file (test2.ser). For some reasons, test2.ser is not similar to test.ser (which must not), and test2.ser cannot be used with FileInputStream and ObjectInputStream to be deserialized using the readObject function. (It will fail on the construction of ObjectInputStream).Is it a bug? Any Help??? Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
FIPS 186-3 (mainly DSA with SHA224/SHA256) support?
Dear friends, are there any plans to update the DSA code according to the standard (please refer to the mail subject)? The DSA parameter generation would need an update making it completely independent from the SHA-1 stuff and breaking any limits enforced on the length of the seed. Cheers, Ingo. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1632] DTLS: Extra bytes in Alert messages
Hi, The alert message currently contains extra bytes in the payload. Proposed patch below Thanks, Alex. Index: ssl/d1_pkt.c === RCS file: /data1/Repository/openssl/ssl/d1_pkt.c,v retrieving revision 1.4.2.9 diff -u -w -B -b -r1.4.2.9 d1_pkt.c --- ssl/d1_pkt.c3 Oct 2007 10:18:06 - 1.4.2.9 +++ ssl/d1_pkt.c18 Oct 2007 00:12:44 - @@ -1576,7 +1576,7 @@ { int i,j; void (*cb)(const SSL *ssl,int type,int val)=NULL; - unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */ + unsigned char buf[DTLS1_AL_HEADER_LENGTH]; unsigned char *ptr = &buf[0]; s->s3->alert_dispatch=0; @@ -1585,6 +1585,10 @@ *ptr++ = s->s3->send_alert[0]; *ptr++ = s->s3->send_alert[1]; +#if 0 +/* XXX: this is a possible improvement in the future */ + /* now check if it's a missing record */ + if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { s2n(s->d1->handshake_read_seq, ptr); @@ -1600,6 +1604,7 @@ #endif l2n3(s->d1->r_msg_hdr.frag_off, ptr); } +#endif i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); if (i <= 0) Index: ssl/dtls1.h === RCS file: /data1/Repository/openssl/ssl/dtls1.h,v retrieving revision 1.4.2.3 diff -u -w -B -b -r1.4.2.3 dtls1.h --- ssl/dtls1.h 1 Oct 2007 06:28:48 - 1.4.2.3 +++ ssl/dtls1.h 18 Oct 2007 00:12:12 - @@ -84,7 +84,8 @@ #define DTLS1_CCS_HEADER_LENGTH 1 -#define DTLS1_AL_HEADER_LENGTH 7 +#define DTLS1_AL_HEADER_LENGTH 2 +/* 7 if we later support DTLS1_AD_MISSING_HANDSHAKE_MESSAGE */ typedef struct dtls1_bitmap_st Hi,The alert message currently contains extra bytes in the payload.Proposed patch belowThanks,Alex.Index: ssl/d1_pkt.c=== RCS file: /data1/Repository/openssl/ssl/d1_pkt.c,vretrieving revision 1.4.2.9diff -u -w -B -b -r1.4.2.9 d1_pkt.c--- ssl/d1_pkt.c 3 Oct 2007 10:18:06 - 1.4.2.9+++ ssl/d1_pkt.c 18 Oct 2007 00:12:44 -@@ -1576,7 +1576,7 @@ { int i,j; void (*cb)(const SSL *ssl,int type,int val)=NULL;- unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */ + unsigned char buf[DTLS1_AL_HEADER_LENGTH]; unsigned char *ptr = &buf[0]; s->s3->alert_dispatch=0;@@ -1585,6 +1585,10 @@ *ptr++ = s->s3->send_alert[0]; *ptr++ = s->s3->send_alert[1];+#if 0+ /* XXX: this is a possible improvement in the future */+ /* now check if it's a missing record */+ if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { s2n(s->d1->handshake_read_seq, ptr);@@ -1600,6 +1604,7 @@ #endif l2n3(s->d1->r_msg_hdr.frag_off, ptr); }+#endif i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); if (i <= 0)Index: ssl/dtls1.h===RCS file: /data1/Repository/openssl/ssl/dtls1.h,v retrieving revision 1.4.2.3diff -u -w -B -b -r1.4.2.3 dtls1.h--- ssl/dtls1.h 1 Oct 2007 06:28:48 - 1.4.2.3+++ ssl/dtls1.h 18 Oct 2007 00:12:12 - @@ -84,7 +84,8 @@ #define DTLS1_CCS_HEADER_LENGTH 1-#define DTLS1_AL_HEADER_LENGTH 7+#define DTLS1_AL_HEADER_LENGTH 2+ /* 7 if we later support DTLS1_AD_MISSING_HANDSHAKE_MESSAGE */ typedef struct dtls1_bitmap_st
[openssl.org #1631] OpenSSL loading engines multiple times in interactive mode
Hello... I am experiencing the exact problem described in ticket #1242 (http://rt.openssl.org/Ticket/Display.html?id=1242) with 0.9.8e and 0.9.8g. The ticket claims that this was fixed, but that doesn't seem to be the case. If I launch OpenSSL with no parameters, then the first command run at the OpenSSL> prompt will work normally. Any subsequent command produces the following error: Error configuring OpenSSL 7244:error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116: 7244:error:2606906E:engine routines:ENGINE_add:internal list error:eng_list.c:288: 7244:error:260B6067:engine routines:DYNAMIC_LOAD:conflicting engine id:eng_dyn.c:540: 7244:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:234:module=engines, value=engine_section, retcode=-1 error in engine This occurs using the stock RedHat packages on RHEL5 (x86_64), as well as a built-from-source version of 0.9.8g on the same system. My openssl.cnf file contains the following (everything below this is stock/default as installed from a 'make install'): === # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd openssl_conf= openssl_init [ openssl_init ] # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids engines = engine_section [ engine_section ] LunaCA3 = luna_section [ luna_section ] dynamic_path = /usr/local/ssl/lib/engines/liblunaca3.so init = 0 # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default# The default ca section === My rather quick and poor solution to this problem was to modify conf_mod.c (0.9.8g) as follows, but there's probably a better way to do it: === diff -ruN a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c --- a/crypto/conf/conf_mod.c2007-09-06 05:43:49.0 -0700 +++ b/crypto/conf/conf_mod.c2008-01-11 15:13:30.0 -0700 @@ -58,6 +58,7 @@ #include #include +#include #include #include "cryptlib.h" #include @@ -119,6 +120,8 @@ static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value, unsigned long flags); +int engines_already_loaded=0; + /* Main function: load modules from a CONF structure */ int CONF_modules_load(const CONF *cnf, const char *appname, @@ -153,10 +156,20 @@ for (i = 0; i < sk_CONF_VALUE_num(values); i++) { vl = sk_CONF_VALUE_value(values, i); - ret = module_run(cnf, vl->name, vl->value, flags); + if (!(strcmp(vl->name, "engines")) && engines_already_loaded) + ret = 1; + else + ret = module_run(cnf, vl->name, vl->value, flags); if (ret <= 0) + { if(!(flags & CONF_MFLAGS_IGNORE_ERRORS)) return ret; + } + else + { + if(!(strcmp(vl->name, "engines"))) + engines_already_loaded = 1; + } } return 1; === -- Ryan __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]