Re: Are Hash sha1 of the same data different ?????(It shouldn't be but.....)
Dr S N Henson wrote:
>
> > size = i2d_PublicKey(pub, NULL);
> > pu = (unsigned char*)malloc((size+1) * sizeof(unsigned char));
> > i2d_PublicKey(pub, &pu);
>
> This is one problem: your use of i2d_PublicKey() is wrong. After this
> call 'pu' will actually point to garbage. Check the FAQ for the correct
> way to do this.
[]
Thanks for you answer ,
I thought I had fixed my error thanks to the tip above given,
but less changed.
In the source code below I try to make 3 times the same operation.
3 different values are given as the result of the SHA1.
I'm usign openssl 0.9.5.a under linux.
Other results(different) are obtained if the code is compiled with c++
compiler.
I hope you can help me.
#include
#include
#include
#include
#include
int main(int argc,char **argv)
{
X509 *cert;
X509 *cert1;
X509 *cert2;
EVP_PKEY *pub;
EVP_PKEY *pub1;
EVP_PKEY *pub2;
EVP_PKEY *pri;
EVP_PKEY *pri1;
EVP_PKEY *pri2;
EVP_MD_CTX mdctx;
EVP_MD_CTX mdctx1;
EVP_MD_CTX mdctx2;
unsigned char *pu,*p;
unsigned char *pu1,*p1;
unsigned char *pu2,*p2;
unsigned char dg[EVP_MAX_MD_SIZE];
unsigned char dg1[EVP_MAX_MD_SIZE];
unsigned char dg2[EVP_MAX_MD_SIZE];
const EVP_MD *md;
const EVP_MD *md1;
const EVP_MD *md2;
unsigned int mdLen,mdLen1,mdLen2;
int size,size1,size2;
char pass[50];
int l;
FILE *f;
FILE *fp;
FILE *Fp;
PKCS12 *p12,*pk12,*pkc12;
if (argc != 2)
{
printf("Usage test \n");
exit(-1);
}
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
if ((f = fopen(argv[1], "r")) == NULL ){
perror ("Errore apertura file");
exit(-1);
}
if ((fp = fopen(argv[1], "r")) == NULL ){
perror ("Errore apertura file");
exit(-1);
}
if ((Fp = fopen(argv[1], "r")) == NULL ){
perror ("Errore apertura file");
exit(-1);
}
p12 = d2i_PKCS12_fp(f, NULL);
pk12 = d2i_PKCS12_fp(fp, NULL);
pkc12 = d2i_PKCS12_fp(Fp,NULL);
fclose(f);
fclose(fp);
fclose(Fp);
EVP_read_pw_string(pass, 50, "Password to import certificate: ",
0);
if (!PKCS12_parse(p12,pass , &pri, &cert,NULL)){
perror("Erorre");
exit(-1);
}
if (!PKCS12_parse(pk12, pass, &pri1, &cert1, NULL)){
perror("Errore");
exit(-1);
}
if(!PKCS12_parse(pkc12,pass,&pri2,&cert2,NULL)){
perror("Errore");
exit(-1);
}
PKCS12_free(p12);
PKCS12_free(pk12);
PKCS12_free(pkc12);
pub = X509_get_pubkey(cert);
pub1 = X509_get_pubkey(cert1);
pub2 = X509_get_pubkey(cert2);
size = i2d_PublicKey(pub, NULL);
p = (unsigned char*)malloc((size+1) * sizeof(unsigned char));
pu = p;
i2d_PublicKey(pub, &pu);
md = EVP_sha1();
size1 = i2d_PublicKey(pub1, NULL);
p1 =(unsigned char*)malloc((size1+1) * sizeof(unsigned char));
pu1 = p1;
i2d_PublicKey(pub1, &pu1);
md1 = EVP_sha1();
size2 = i2d_PublicKey(pub2,NULL);
p2 = (unsigned char*)malloc((size2+1)* sizeof(unsigned char));
pu2 = p2;
i2d_PublicKey(pub, &pu2);
md2 = EVP_sha1();
EVP_DigestInit(&mdctx, md);
EVP_DigestUpdate(&mdctx, pu, size);
EVP_DigestFinal(&mdctx, dg, &mdLen);
printf("DIGEST 1 :");
for (l = 0; l < mdLen; l++)
printf("%02X", dg[l]);
printf("\n");
EVP_DigestInit(&mdctx1, md1);
EVP_DigestUpdate(&mdctx1, pu1, size1);
EVP_DigestFinal(&mdctx1, dg1, &mdLen1);
printf("DIGEST 2 :");
for (l = 0; l < mdLen1; l++)
printf("%02X", dg1[l]);
printf("\n");
EVP_DigestInit(&mdctx2, md2);
EVP_DigestUpdate(&mdctx2, pu2, size2);
EVP_DigestFinal(&mdctx2, dg2, &mdLen2);
printf("DIGEST 3 :");
for (l = 0; l < mdLen2; l++)
printf("%02X", dg2[l]);
printf("\n");
}
Re: Are Hash sha1 of the same data different ?????(It shouldn't be but.....)
Sebastiano Di Paola wrote: > > > Thanks for you answer , > I thought I had fixed my error thanks to the tip above given, > but less changed. > In the source code below I try to make 3 times the same operation. > 3 different values are given as the result of the SHA1. > I'm usign openssl 0.9.5.a under linux. > Other results(different) are obtained if the code is compiled with c++ > compiler. > I hope you can help me. > You still haven't got the ASN1 stuff right: > > size = i2d_PublicKey(pub, NULL); > p = (unsigned char*)malloc((size+1) * sizeof(unsigned char)); > pu = p; > i2d_PublicKey(pub, &pu); > md = EVP_sha1(); > You've left 'p' as a pointer to the buffer and used pu as the temp variable. pu will be modified by the i2d call so the data i 'size' bytes starting at 'p'. However later on: > > EVP_DigestInit(&mdctx, md); > EVP_DigestUpdate(&mdctx, pu, size); > EVP_DigestFinal(&mdctx, dg, &mdLen); You are therefore digesting 'pu' rather that 'p'. So either use 'p' in the digest call or p in the i2d call. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Auto Reply to your message ...
- The following text is an automated response to your message - I will be in London for the RiskMetrics client event until Monday 25th September. Please contact [EMAIL PROTECTED] for urgent issues. Thanks, Alan Adkins
ANNOUNCE: OpenSSL 0.9.6 Beta 2
Questo indirizzo e' disabilitato. Per favore deregistratelo dal vostro indirizzario o lista di discussione. Grazie. This addres s is disabled. Please remove the address from your address book or distribution list. Thanks. SIB - Politecnico di Milano [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Writing a multithreaded server
Excuse me if this has already been posted but I couldn't find anything in the mail archives. So here it goes. I need to collect statistics from a bunch of client machines spread geographically. The # of client machines could get large (almost 10 clients uploading data every sec) and the data needs to be transfered securely. We are planning to use client certificates to authenticate clients. I am looking for ideas to accomplish this. One idea is to write a multi-threaded SSL server where each thread handles a different connection and stores the data passed over by the client. Whether one server is sufficient depends on the time taken to establish an SSL session and transfer the data. The data size is about 10K and so it seems like the SSL connection time would be a bottleneck. In order to scale I was also thinking of load balancing. The simples would be a DNS round-robin. Q) Can anyone share code to write such a multithreaded server using pthreads on linux? Q) How do I interpret the output from s_time option on openssl. What I get is 299 connections in 12.03s; 24.85 connections/user sec, bytes read 0 299 connections in 31 real seconds, 0 bytes read per connection Q) The s_server.c and s_client.c code examples seem a little too involved for opening an SSL socket. Are there any C++ wrappers for doing this? Thanks in advance -- Ravi. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Verify signature of a multipart message
>= Original Message From [EMAIL PROTECTED] = > > I could use OpenSSL to decrypt this signed and encrypted message. Then when I > > verify the digital signature, OpenSSL told me that 'content and data present'. > > Is there anything wrong with my code? > Can you send me a copy of the message and/or signature. The signed but > decrypted version that is? b4dec.txt is the original signed and encrypted message, while afterdec.txt is what I got after decryption. cityuca.pem is the CA certificate of the signer. > What version of Netscape is this BTW? 4.71 (40 bit). Angus Lee --- Get Your Free Email at http://www.hknetmail.com vfymsg.zip
IE can't process 1024 bits cert?
i can't import certificate of more than 512 bits into IE which is imported. does imported IE can't process >512 bits certificate? thanks a lot!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IE can't process 1024 bits cert?
I think your IE does not have 1024-bit key. Please verify this by viewing the Help->About dialog. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IE can't process 1024 bits cert?
> I think your IE does not have 1024-bit key. Please verify this by viewing > the Help->About dialog. thank you for your answer. I checked my IE version information, it only tell me like that: version: 5.00.2614.3500 key length: 40-bit it doesn't show the key length of certificate. how can i know of that? appreciate for your help! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Writing a multithreaded server
> One idea is to write a multi-threaded SSL server where each thread > handles a different connection and stores the data passed over by the > client. Whether one server is sufficient depends on the time taken to > establish an SSL session and transfer the data. The data size is about > 10K and so it seems like the SSL connection time would be a bottleneck. Don't go thread-per-client. That forces a context switch every time you change which client you are working on. Better to go single threaded than force extra context switches. If you want to use threads, use them right (thread pools, job queues, etcetera). DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Import Export Restrictions
> If I am using SSL 128 Bit Encryption considered "retail" encryption by the > federal government? > We desire to use it in an application where encrypted data is transported > from a ASP in the USA to Mexico and back, however we are unsure > of the legal > implications can you please help or send us to someone that can. Our > understanding is that SSL would have to apply with the federal > government to > classify it as "retail". yet the government does not publish the list of > encryption tools that are considered "retail". They state that the company > themselves could tell us. Even if SSL itself were classified as retail (which it couldn't be, since it's a protocol), this wouldn't make your product which uses SSL retail. A product that can hook into external encryption routines is itself encryption and would itself need to be classified. Check out http://www.bxa.doc.gov/Encryption/qanda.htm DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IE can't process 1024 bits cert?
>> I think your IE does not have 1024-bit key. Please verify this by viewing >> the Help->About dialog. > > thank you for your answer. I checked my IE version information, it only > tell me like that: > version: 5.00.2614.3500 > key length: 40-bit > > it doesn't show the key length of certificate. how can i know of that? > > appreciate for your help! 40-bit is the cipher strength. The key length should be 512-bit. If you want IE to handle certificates with 1024-bit keys, you will need to download the high encryption package (click on "update information" next to cipher strength in that About dialog box). Regards, Michael Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem: Adding certificate and private key to IIS 5.0
Hi, > So, now finally my question: First, what encoding have certificate and private key >have to have for working > with the above command. Both, the key and certificate _SHOULD_ be in PEM format refer to http://www.openssl.org/docs/apps/pkcs12.html# for details. Can you please tell, Which tool was used to generate the private key and the CSR (certificate signing request) ? hope this helps, regards, Mandar -- Mandar Prabhakar Behere Member of Technical Staff Persistent Systems Pvt. Ltd. Phone : office : 91-20-5676700 ext. 541 residence : 91-20-4485174 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IE can't process 1024 bits cert?
> 40-bit is the cipher strength. The key length should be 512-bit. > If you want IE to handle certificates with 1024-bit keys, you will need to > download the high encryption package (click on "update information" next to > cipher strength in that About dialog box). thanks a lot. but i'm still confused of the cipher strength and key length. i always think 40-bit should be the key length of symmetric cipher algorithm and 512-bit is the key length of asymmetric cipher algorithm. 40-bit data encryption aglorithm is always corresponding to 512-bit certificate, and 128-bit to 1024/2048-bit. is that right? thanks!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Stupid question (or not) ?
I never got an answer so let's try again... Now that RSA released it's patent to the public, how do we compile openssl without RSARef ??? TIA... begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
Re: Stupid question (or not) ?
> I never got an answer so let's try again... > > Now that RSA released it's patent to the public, how do we compile > openssl without RSARef ??? ./configure Unless you take steps to link against RSARef, you won't. In fact, go delete the damned thing from your computer. -- Brian HatchPEBKAC: Systems and Problem exists Security Engineerbetween keyboard http://www.ifokr.org/bri/ and chair. Every message PGP signed PGP signature
RE: IE can't process 1024 bits cert?
Hy, >thanks a lot. but i'm still confused of the cipher strength and >key length. i always think 40-bit should be the key length of >symmetric cipher algorithm and 512-bit is the key length of >asymmetric cipher algorithm. It's just. >40-bit data encryption aglorithm >is always corresponding to 512-bit certificate, and 128-bit >to 1024/2048-bit. is that right? No, the certificate is independent of the symetric key-length. You can have a server with a 512 bits certificate which used 128 bits symetric-key, or a server with a 2048 bits certificate which used 40 bits symetric-key. It's just a question of configuration of the server and the version (support crypto 128 bits or No). -- Ludovic FLAMENT __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
