Re: Rijndael

2005-02-24 Thread Manuel Sánchez Cuenca 
Lawrence Bowie escribió:
Where do you hold your IVs for the C program? Are the Java and C 
programs seperate or are you using
JNI? 
Yes, I'm using jni, so I pass the IV as a parameter o a C function.
Also, I am not sure if "IAIK" is an actually optional Provider if you 
are using JCE, possibly an
option using Bouncy Castle You also might try a different padding 
as well ..

The big thing is that where are your IVs being written to and read from ?
LDB

Manuel Sánchez Cuenca wrote:
Hello all, I have to write a C program which decrypts some data 
encrypted by a java program.  The java program is the following:
=
 KeyGenerator key_gen = KeyGenerator.getInstance("Rijndael");
 SecretKey aes_key = (SecretKey)key_gen.generateKey();
 Cipher aes = Cipher.getInstance("Rijndael/CBC/PKCS5Padding", 
"IAIK");
 aes.init(Cipher.ENCRYPT_MODE, aes_key);
 byte[] crypted = aes.doFinal(bb.array());
 byte[] iv = aes.getIV();
=
and the C program:
=
  char byte_aes_key[16]; // < the byte array obtained with 
aes_key.getEncoded() in java
  char byte_iv[16]; // < The iv from the java program
  EVP_CIPHER_CTX ctx;
  EVP_DecryptInit(&ctx, EVP_aes_128_cbc(), byte_aes_key, byte_iv);
  int outlen;
  res = EVP_DecryptUpdate(&ctx, decrypted, &outlen, encrypted, 
encryptedlen);
=
but the decrypted message isn't correct. Can anybody give me any 
suggestion?

Thanks in advance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

--
===
Manuel Sanchez Cuenca
Dept. Ingenieria de la Informacion y las Comunicaciones
Universidad de Murcia - España
Tlf: +34 968364644 - Fax: 968364151
email: [EMAIL PROTECTED]
www: http://livia.dif.um.es/~lolo
www: http://livia.dif.um.es/~irisgrid
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Signature error

2005-02-24 Thread Manuel Sánchez Cuenca 
Hello all, how can I know what means this error 
error:04077064:lib(4):func(119):reason(100)? it is produced when I try 
to verify a RSA signature.

Thanks in advance.
--
===
Manuel Sanchez Cuenca
Dept. Ingenieria de la Informacion y las Comunicaciones
Universidad de Murcia - España
Tlf: +34 968364644 - Fax: 968364151
email: [EMAIL PROTECTED]
www: http://livia.dif.um.es/~lolo
www: http://livia.dif.um.es/~irisgrid
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RSA_sign error

2005-02-24 Thread Manuel Sánchez Cuenca 
Hello all, I'm writting a C program to sign a char[] with the following 
code:
==
  FILE *pKeyFile = fopen("srv-key.pem", "r");
  RSA *rsa_key = NULL;
  rsa_key = PEM_read_RSAPrivateKey(pKeyFile, NULL, NULL, NULL);
  char firma_aux[256];
  int firma_aux_len;
  int ret = RSA_sign(NID_sha1WithRSA, message, 144, firma_aux, 
&firma_aux_len, rsa_key);
==
and I get this error error:04075070:lib(4):func(117):reason(112).

Can anybody tell me what it means?
Thanks in advance.
--
===
Manuel Sanchez Cuenca
Dept. Ingenieria de la Informacion y las Comunicaciones
Universidad de Murcia - España
Tlf: +34 968364644 - Fax: 968364151
email: [EMAIL PROTECTED]
www: http://livia.dif.um.es/~lolo
www: http://livia.dif.um.es/~irisgrid
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: RSA_sign error

2005-02-24 Thread Marco Roeland 
Op donderdag 24 februari 2005 om 12:33 uur schreef Manuel Sánchez Cuenca het 
volgende:

> Hello all, I'm writting a C program to sign a char[] with the following 
> code:
> ==
>   FILE *pKeyFile = fopen("srv-key.pem", "r");
>   RSA *rsa_key = NULL;
>   rsa_key = PEM_read_RSAPrivateKey(pKeyFile, NULL, NULL, NULL);
>   char firma_aux[256];
>   int firma_aux_len;
>   int ret = RSA_sign(NID_sha1WithRSA, message, 144, firma_aux, 
> &firma_aux_len, rsa_key);
> ==
> and I get this error error:04075070:lib(4):func(117):reason(112).
> 
> Can anybody tell me what it means?

openssl errstr 04075070

error:04075070:rsa routines:RSA_sign:digest too big for rsa key

You should give as second argument to RSA_sign the _digest_ of the
message (and its length as third argument). The sha1 digest will be 20
bytes in length.

Instead you have given a pointer to the message itself and its length
(presumably 144). RSA_sign complains because 144 isn't the digest length
for sha1.

So please first calculate the digest of the message, and feed this to
RSA_sign. And you might be better off using more higher level routines
in OpenSSL that can do this.
-- 
Marco Roeland
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

SSL and OSU

2005-02-24 Thread Chuck Aaron 




SSL Group,

I am running the 3.10a osu web server with openvms SSL. Our users
access our server based on two different
ip addresses, which corrulate to two different applications. Do you
know if there is a way to make users
who are accessing only one of the applications on the web to force them
to ssl (https) and leave
the other application http or will I have to make it all https if I
chose that route?

Thanks in advance,
Chuck Aaron

Re: s_client handshake failure [auf Viren überprüft]

2005-02-24 Thread Hans Moser 
[EMAIL PROTECTED] schrieb das Folgende am 23.02.2005 20:34:
First of all the HEX line are important because they contained information
about the connection (SSL protocol layer: record, alert etc...), in fact in
acts as -msg option (openssl 0.9.7e).
My fault. But I had to retype it, because there's no LAN-connection too...
But now I have a USB-stick. :-)
linux:~ # openssl s_client -connect localhost:666 -showcerts -tls1 -debug
CONNECTED(0003)
write to 080ABAF0 [080B5F50] (100 bytes => 100 (0x64))
 - 16 03 01 00 5f 01 00 00-5b 03 01 42 1d ff 56 e4   _...[..B..V.
0010 - 63 c2 e5 18 9e 21 94 15-a1 61 b2 78 5a ad 22 9a   c!...a.xZ.".
0020 - 40 29 8b b4 4a 0b db 72-63 b0 e5 00 00 34 00 39   @)..J..rc4.9
0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f   .8.5...3.2./
0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12   .f.c.b.a
0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06   ...e.d.`
0060 - 00 03 01  ...
0064 - 
read from 080ABAF0 [080B1740] (5 bytes => 0 (0x0))
5014:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:529:
linux:~ #

In your case, it seemes that your server closed the connection:
read from 080ABC00 [080B1838] (7 bytes => 0 (0x0))
The 7 bytes to be read sounds like an "error" message that should be read
but is not.
It seems that your server close the connection without sending anything.
Which openssl do you use?
linux:~ # openssl version
OpenSSL 0.9.7d 17 Mar 2004  [SuSE 9.1 Prof.]
Hans
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Newbe problem

2005-02-24 Thread Sheridan \"Dan\" Small 
I tried making certificates using openssl bundled with Fedora 2. I 
managed to make a server.key, server.csr, ca.key and ca.crt but not a 
server.crt.
So I tried downloading openssl-0.9.7e and followed the instructions on 
http://www.faqs.org/docs/securing/chap24sec192.html. This did not work 
so I tried downloading openssl-0.9.5a as used in the instructions I was 
using but got the same error as with openssl-0.9.7e i.e. |

[EMAIL PROTECTED] openssl-0.9.5a]# make -f  Makefile
making all in crypto...
make[1]: Entering directory `/var/tmp/openssl-0.9.5a/crypto'
( echo "#ifndef MK1MF_BUILD"; \
echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c 
*/"; \
echo "  #define CFLAGS \"egcs -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL 
-DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double 
-mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions 
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM\""; \
echo "  #define PLATFORM \"linux-elf\""; \
echo "  #define DATE \"`date`\""; \
echo "#endif" ) >buildinf.h
egcs -I. -I../include -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL 
-DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double 
-mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions 
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cryptlib.o cryptlib.c
make[1]: egcs: Command not found
make[1]: *** [cryptlib.o] Error 127
make[1]: Leaving directory `/var/tmp/openssl-0.9.5a/crypto'
make: *** [all] Error 1

I tried leaving |Makefile.ssl line 50 as CC= gcc but got the same error.
|
Can anybody tell me what is happening or going wrong?
Regards,
Sheridan Small
|
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 22/02/2005
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: s_client handshake failure [auf Viren überprüft]

2005-02-24 Thread Frédéric Donnat 
Sorry,

I think your ldap server is NOT running TLS.

I just try a s_client on an ldap server without ssl and here is the result:


[EMAIL PROTECTED] donnatfr]# openssl s_client -connect 192.168.0.70:389 -ssl3 
-debug
CONNECTED(0003)
write to 0814B438 [081551F0] (88 bytes => 88 (0x58))
 - 16 03 00 00 53 01 00 00-4f 03 00 42 1e 27 c0 19   S...O..B.'..
0010 - 6f b4 bb 2c 1b 2f 48 87-c3 7a ad 8c 5b 43 56 95   o..,./H..z..[CV.
0020 - a5 88 97 05 90 e7 d3 75-2c 37 1b 00 00 28 00 16   ...u,7...(..
0030 - 00 13 00 0a 00 66 00 05-00 04 00 65 00 64 00 63   .f.e.d.c
0040 - 00 62 00 61 00 60 00 15-00 12 00 09 00 14 00 11   .b.a.`..
0050 - 00 08 00 06 00 03 01  ...
0058 - 
read from 0814B438 [081509E0] (5 bytes => 0 (0x0))
4889:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:528:

The server dose not respond to the client hello message and close the 
connection.


Fred

-Original Message-
From:   [EMAIL PROTECTED] on behalf of Hans Moser
Sent:   Wed 2/23/2005 4:14 PM
To: openssl-users@openssl.org
Cc: 
Subject:Re: s_client handshake failure [auf Viren überprüft]
[EMAIL PROTECTED] schrieb das Folgende am 23.02.2005 12:09:

> Hi,
> 
> You can specify the protole to use with -ssl3 or -tls1 otherwise s_client
> send a ssl v2 client hello. Moreover some debug info with -state or -debug
> could be usefull to find what happened.  ;)
# openssl s_client -connect localhost:666 -showcerts -debug
CONNECTED(3)
write to 080ABC00 [080AC2D8] (142 bytes => 142 (0x8E))
 9 Lines of HEX
read from 080ABC00 [080B1838] (7 bytes => 0 (0x0))
4641:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib_c:226:

with "-tls1" it changes only a bit into
4690:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s3_pkt.c:539:


Hans

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



<>

Beginner Question

2005-02-24 Thread Ragnar Paulson 

Hello and thanks in advance for advice.  I need to quickly come up to speed  
using the openssl API.  I have the basic administration knowledge, having 
configured web servers (apache) to use SSL, as well as securing pop and imap 
with stunnel.

Now I need to actually modify an existing proprietary library to use SSL over a 
socket instead of using the socket directly.  I've gone through openssl.org, 
the man pages, and Eric Rescorla's introduction to SSL programming.  I'm within 
a few hours of finishing  the modifications apparent from these sources but 
still fear I am missing something in the big picture.  It's not at all clear 
how a BIO is used or needs to be used in this context.  There will apparently 
be problems in a multi-threaded environment but the steps to avoid them are 
unclear.  Plus a few other basics.  

I'm looking for a pointer to more documentation of how to use the openssl API,  
I don't really want to read the source or learn the internals.   I have found 
the following two references:

SSL and TLS: Designing and Building Secure Systems by Eric Rescorla
Network Security with OpenSSL: Cryptography for Secure Communications by John 
Viega, Matt Messier, and Pravir Chandra

Which of these should I buy, or is there a more recommened alternative.

Thanks again,
Ragnar



Ragnar Paulson   [EMAIL PROTECTED]
The Software Group Limited
705 725  x21
1.618033989
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Command-line RSA-signature form a hash

2005-02-24 Thread Antonio Ruiz Martínez 
Hello!
   I would like to use the command-line to create a signature (and 
verify it) from a digest. Due to some reasons I don't want to use the 
original text to create a hash and next the signature. For this reason, 
the use of  openssl dgst -sha1 is not valid for me

In order to get the hash I'm using openssl sha1 --binary
After, I would like to get a signature using this hash.
I have tested to use  rsautl  this way:
openssl rsautl -sign -in hash.sha1 -inkey kt.pem -out signature.sha1
and to verify it I'm using openssl rsautl -verify.
Then I have to compare the hash values and this way works!
However I would like to know if there is other command-line tool that 
makes this process. That is, the signature and the verification from a 
hash, not from a file.
And if not, is there any way to sign with the hash in a PKCS#1 format? 
because the way I'm using is not PKCS#1 compliant. I'm signing the hash 
however it should be an ASN.1 structure telling the hash OID and the 
hash value.

Could you help me to solve my problem, please?
Regards,
Antonio.
--
--
Antonio Ruiz Martínez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
e-mail: [EMAIL PROTECTED] or arm [at] dif [dot] um [dot] es
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Beginner Question

2005-02-24 Thread Bernhard Froehlich 
Ragnar Paulson wrote:
[...]
I'm looking for a pointer to more documentation of how to use the openssl API,  
I don't really want to read the source or learn the internals.   I have found 
the following two references:
SSL and TLS: Designing and Building Secure Systems by Eric Rescorla
Network Security with OpenSSL: Cryptography for Secure Communications by John 
Viega, Matt Messier, and Pravir Chandra
Which of these should I buy, or is there a more recommened alternative.
 

I like to recommend the second one but I do not know the first.
From what you write about your knowledge and intentions I think you can 
find useful information in Viega et al. Have a look at 
http://www.oreilly.com/catalog/openssl/toc.html to see the table of 
contents, maybe it helps you to decide.

Thanks again,
Ragnar
 

Hope it helps,
Ted
;)


smime.p7s
Description: S/MIME Cryptographic Signature

Doubt on OpenSSL FIPS Compliance

2005-02-24 Thread prakash babu 



Hello All,
 
i. OpenSSL 0.9.7e supports FIPS-140. 
 
ii. OpenSSL contains the FIPS 140 specific 
cryptographic API and algorithm implementations only for low level algorithms 
(RSA, AES, 3DES, DSA, SHA-1) in the  fips 
subdirectory.
 
iii. When we build OpenSSL with FIPS support the 
FIPS implementations of the above algorithms and the normal implementations for 
the other algorithms are added to the crypto library.
 
My question is
 
Can we call this crypto library FIPS 
compliant (or) should we disable the unsupported algorithms using no- to call it FIPS compliant  
?
 
Thanks,
Prakash

		Do you Yahoo!? 
Yahoo! Sports -  
Sign up for Fantasy Baseball.