Using X509 get ext d2i
Looking at the OpenSSL source code, I believe that the caller must free the struct that X509_get_ext_d2i returns. What function should I call to free the returned struct? My code looks like this: X509_EXTENSION* ext = 0; X509V3_EXT_METHOD* method = 0; void* entries = 0; int idx = -1; int nid = NID_subject_alt_name; idx = X509_get_ext_by_NID(cert, nid, idx); if (idx = 0) { ext = X509_get_ext(cert, idx); if (ext) { method = X509V3_EXT_get(ext); } } entries = X509_get_ext_d2i(cert, nid, 0, 0); if (method entries) { STACK_OF(CONF_VALUE)* val = method-i2v(method, entries, 0); for (int j = 0; j sk_CONF_VALUE_num(val); ++j) { CONF_VALUE* nval = sk_CONF_VALUE_value(val, j); if (strcmpi_(nval-name, DNS) == 0) { retVal = -2; if (strcmpi_(nval-value, aServerName) == 0) { retVal = 0; break; } } } } Also, do I need to free the result from method-i2v? If so, how? Thanks! -- Doug Sauder __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Is it possible to set IV length in EVP_Cipher?
Hola! Dr. Stephen Henson wrote: On Tue, Mar 08, 2005, Antonio Ruiz Martnez wrote: Hello! I have been looking at how I can set the length of the iv parameters in a cipher algorithm. I saw that we can put the IV with EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_decrypt); However this length, in RC2_CBC, is 8 bytes I don't know if it is possible to use another different length. I think that it is possible because Mozilla uses it, but I'm not sure if a mistake of its implementation. I would like to use 12 bytes like mozilla. How could I set the iv length in Openssl for any algorithm? The obvious question is why? I'm not sure what you mean about Mozilla. Thanks for your answer. Mozilla is using a IV of 12 bytes length. I don't know why. That is the reason because I asked if it was possible to use another differente length in the IV. Regards, Antonio. For the cipher modes that use an IV the IV length is equal to the block length of the cipher. That's fixed by standards and there's no way to change it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- -- Antonio Ruiz Martnez Faculty of Computer Science-University of Murcia 30071 Murcia - Spain e-mail: [EMAIL PROTECTED] or arm [at] dif [dot] um [dot] es --
Re: Is it possible to set IV length in EVP_Cipher?
On Fri, Mar 11, 2005, Antonio Ruiz MartÃnez wrote: Hola! Thanks for your answer. Mozilla is using a IV of 12 bytes length. I don't know why. That is the reason because I asked if it was possible to use another differente length in the IV. What makes you think Mozilla is using a 12 byte IV? It might not actually be an IV in the normal sense. If its a key derivation algorithm and the IV is in fact the seed then the size is variable. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using X509 get ext d2i
On Fri, Mar 11, 2005, [EMAIL PROTECTED] wrote: Looking at the OpenSSL source code, I believe that the caller must free the struct that X509_get_ext_d2i returns. What function should I call to free the returned struct? My code looks like this: X509_EXTENSION* ext = 0; X509V3_EXT_METHOD* method = 0; void* entries = 0; int idx = -1; int nid = NID_subject_alt_name; idx = X509_get_ext_by_NID(cert, nid, idx); if (idx = 0) { ext = X509_get_ext(cert, idx); if (ext) { method = X509V3_EXT_get(ext); } } entries = X509_get_ext_d2i(cert, nid, 0, 0); if (method entries) { STACK_OF(CONF_VALUE)* val = method-i2v(method, entries, 0); for (int j = 0; j sk_CONF_VALUE_num(val); ++j) { CONF_VALUE* nval = sk_CONF_VALUE_value(val, j); if (strcmpi_(nval-name, DNS) == 0) { retVal = -2; if (strcmpi_(nval-value, aServerName) == 0) { retVal = 0; break; } } } } Also, do I need to free the result from method-i2v? If so, how? Don't do things that way. It uses extension method structure internals and is likely to cause problems if the underlying structures change. The value returned by X509_get_ext_d2i() depends on the extensioin being used. In the case of subject alt name it is a STACK_OF(GENERAL_NAME). If you check the definition of this structure in x509v3.h you can search it for a DNS name and examine the result in there. When you've done that a call to: sk_GENERAL_NAME_pop_free(gen_names, GENERAL_NAME_free); will free it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re: Using X509 get ext d2i
Thanks for the reply. Is there somewhere I can look at the correct code to check the DNS name in a subjectAltName? -- Doug Sauder Dr. Stephen Henson [EMAIL PROTECTED] wrote on 03/11/2005, 01:32:29 PM: On Fri, Mar 11, 2005, [EMAIL PROTECTED] wrote: Looking at the OpenSSL source code, I believe that the caller must free the struct that X509_get_ext_d2i returns. What function should I call to free the returned struct? My code looks like this: X509_EXTENSION* ext = 0; X509V3_EXT_METHOD* method = 0; void* entries = 0; int idx = -1; int nid = NID_subject_alt_name; idx = X509_get_ext_by_NID(cert, nid, idx); if (idx = 0) { ext = X509_get_ext(cert, idx); if (ext) { method = X509V3_EXT_get(ext); } } entries = X509_get_ext_d2i(cert, nid, 0, 0); if (method entries) { STACK_OF(CONF_VALUE)* val = method-i2v(method, entries, 0); for (int j = 0; j sk_CONF_VALUE_num(val); ++j) { CONF_VALUE* nval = sk_CONF_VALUE_value(val, j); if (strcmpi_(nval-name, DNS) == 0) { retVal = -2; if (strcmpi_(nval-value, aServerName) == 0) { retVal = 0; break; } } } } Also, do I need to free the result from method-i2v? If so, how? Don't do things that way. It uses extension method structure internals and is likely to cause problems if the underlying structures change. The value returned by X509_get_ext_d2i() depends on the extensioin being used. In the case of subject alt name it is a STACK_OF(GENERAL_NAME). If you check the definition of this structure in x509v3.h you can search it for a DNS name and examine the result in there. When you've done that a call to: sk_GENERAL_NAME_pop_free(gen_names, GENERAL_NAME_free); will free it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re: Using X509 get ext d2i
On Fri, Mar 11, 2005, Doug Sauder wrote: Thanks for the reply. Is there somewhere I can look at the correct code to check the DNS name in a subjectAltName? Not in the OpenSSL core code but it isn't hard. You just have to loop through the GENERAL_NAME STACK and look for a type GEN_DNS and check the dNSName field of those. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re: Using X509 get ext d2i
Is there somewhere I can look at the correct code to check the DNS name in a subjectAltName? Not in the OpenSSL core code but it isn't hard. You just have to loop through the GENERAL_NAME STACK and look for a type GEN_DNS and check the dNSName field of those. in curl, in lib/ssluse.c there is a routine verifyhost that does what is required (and more, i.e; it also chacks an IP address etc. == http://curl.haxx.se peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL communication behind proxy
Hi All, I am currently able to communicate with HTTP servers using proxy successfully using openssl but I am unable to figure out the way to communicate with HTTPs servers using proxy. Pleae help me out regarding this issue. Regards, Muhammad Aftab Alam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL communication behind proxy
Please post the answer to this on the board and not privately. I would like to know as well. The samples are not useful. M -Original Message- From: Aftab Alam [mailto:[EMAIL PROTECTED] Sent: Friday, March 11, 2005 7:49 AM To: openssl-users@openssl.org Subject: SSL communication behind proxy Hi All, I am currently able to communicate with HTTP servers using proxy successfully using openssl but I am unable to figure out the way to communicate with HTTPs servers using proxy. Pleae help me out regarding this issue. Regards, Muhammad Aftab Alam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie: Symmetric Key Cypto as Hasing Algo?
Pardon me if I'm beating an already dead horse here. But with the recent news on the breaking of MD-5, SHA-1, etc., I was wondering: is there a way for OpenSSL to use symmetric key ciphers as hashing algorithms? As I understand it, given a symmetric key cipher c = f(k,p) where c is the ciphertext, k is the key, and p is the plaintext, where c and p are both m bits in length and k is n bits in length, you can turn this into a hash function. The hash fuction has an internal state (and final hash value) of m bits and hashes the input text in blocks on n bits. Giving an initial internal state of s, and a text block b, you calculate the new internal state s' as s' = f(b, s). Note that the text block goes into the key parameter of the initial cipher, while the original internal state is the plaintext. Note also that this assumes the cipher text has no weak keys for obvious reasons- DES and 3DES are bad choices, as is IDEA IIRC. But AES, Blowfish, Twofish, etc. should all work. Thanks. Brian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL communication behind proxy
On Fri, Mar 11, 2005, Aftab Alam wrote: Hi All, I am currently able to communicate with HTTP servers using proxy successfully using openssl but I am unable to figure out the way to communicate with HTTPs servers using proxy. Pleae help me out regarding this issue. You need to connect to the proxy, send whatever commands are necessary to connect to the remote host and then pass the connection over to OpenSSL. How you do that last bit depends on whether you are using BIOs or SSL structures for SSL and how you sent the original proxy commands. If you sent the proxy commands through a BIO you just append it to an SSL BIO or call SSL_set_bio(). If you sent the proxy commands through an fd you can convert it to a socket BIO and append it to an SSL BIO or call SSL_set_fd(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem reading multiple records from the server
I am faced with a scenario where after a successful handshake with the server on a nonblocking socket, the server starts to send multiple records (packets) to the client and closes the socket. The SSL_read( ) api successfully reads the first record by looping till SSL_Pending( ) returns remaining bytes. After which, the subsequent SSL_read returns a -1 error which I retrieve through SSL_get_error. While debugging, I find out that in memory the variable s-s3-rbuf.buf has only loaded the first record data. Hence I am able to only read the first record. I understand from the definition of SSL_read that if no more bytes are in the buffer, SSL_read() will trigger the processing of the next record automatically. This doesn't seem to be happening. Should I block the server after sending each record ? and how can I do that if that is the solution ? Thanks. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]