Strange BIO_new(BIO_s_file()) behaviour
In the 1st example everything is ok, fout points to BIO structure:
void main()
{
BIO *fout;
fout=BIO_new(BIO_s_file());
}
BUT if I'll put this code in a separate procedure fout points to nothing:
void Encrypt(unsigned char *pass, unsigned char *plaintext)
{
BIO *fout;
fout=BIO_new(BIO_s_file());
}
void main()
{
Encrypt(foo,bar);
}
Am i missing smth?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
pkcs#7 API usage
Dear Users, I'm New to Open SSL but I have a good knowledge of pkcs7 ... I want use open SSL pkcs7.h Please send me API usage docs OR archive links .. Regards, konark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem with UTF8 encoding
Hi all, I want to create some certificates which CN has special french characters (like é, è or à...). When I called the function X509_Name_add_entry_by_NID with this special string (like "Fréd Vàlè"), it returnsan error. After debuggingthe application, i found that it's the function UTF8_getc whose returns the error This is the part of my code : . // Create a new X509_NAME for CN element if( !(n = X509_NAME_new()) ) goto error; if( (nid = OBJ_txt2nid( "CN" )) == NID_undef ) goto error; // Add the string "Fréd Vàlé" to "CN" (by using MBSTRING_UTF8) BYTE abValue[] = "Fréd Vàlè"; if( !X509_NAME_add_entry_by_NID( n, nid, MBSTRING_UTF8, abValue, -1, -1, 0 ) ) goto error; If I put in comment the "UTF8_getc" function, all is OK. But if I tried to parse the created file with the command asn1parse,the string isencodedto ASN1_T61STRING and not to ASN1_UTF8STRING. So why I supposed that somebody test UTF8 encoding with stressed characters. So what can I do to use correctly UTF8 encoding ? Excuse me for my bad english Thanks vincent smime.p7s Description: S/MIME cryptographic signature
Re: problem with UTF8 encoding
On Mon, Sep 26, 2005 at 02:07:40PM +0200, Vincent WYON wrote: Hi all, I want to create some certificates which CN has special french characters (like ?, ? or ?...). When I called the function X509_Name_add_entry_by_NID with this special string (like Fr?d V?l?), it returns an error. After debugging the application, i found that it's the function UTF8_getc whose returns the error Your input string is likely ISO-8859-1, provide input that *is* UTF8 encoded, in UTF8, non-ASCII characters take at least two bytes to encode: http://www.ietf.org/rfc/rfc3629.txt -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with UTF8 encoding
Hi Victor, So, if i understood you, i must convert my input string (ISO-8859-1 to UTF-8) before passing it to the function X509_Name_add_entry_by_NID. I thought that it was the function which converted my input string to UTF-8 Ok, I'll test it Do you know a function (in C language) which doing this conversion ? Vincent - Original Message - From: Victor Duchovni [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Monday, September 26, 2005 2:24 PM Subject: Re: problem with UTF8 encoding On Mon, Sep 26, 2005 at 02:07:40PM +0200, Vincent WYON wrote: Hi all, I want to create some certificates which CN has special french characters (like ?, ? or ?...). When I called the function X509_Name_add_entry_by_NID with this special string (like Fr?d V?l?), it returns an error. After debugging the application, i found that it's the function UTF8_getc whose returns the error Your input string is likely ISO-8859-1, provide input that *is* UTF8 encoded, in UTF8, non-ASCII characters take at least two bytes to encode: http://www.ietf.org/rfc/rfc3629.txt -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with UTF8 encoding
On Mon, Sep 26, 2005 at 03:16:40PM +0200, Vincent WYON wrote: So, if i understood you, i must convert my input string (ISO-8859-1 to UTF-8) before passing it to the function X509_Name_add_entry_by_NID. I thought that it was the function which converted my input string to UTF-8 How would it know the character set of the input string? Ok, I'll test it Do you know a function (in C language) which doing this conversion ? There are many web search engines to choose from, though some are more popular than others... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with UTF8 encoding
On Mon, Sep 26, 2005, Dr. Stephen Henson wrote: On Mon, Sep 26, 2005, Vincent WYON wrote: Hi Victor, So, if i understood you, i must convert my input string (ISO-8859-1 to UTF-8) before passing it to the function X509_Name_add_entry_by_NID. I thought that it was the function which converted my input string to UTF-8 Ok, I'll test it Do you know a function (in C language) which doing this conversion ? Keep the character type as MBSTRING_ASC and it should convert from ISO-8850-1 correctly. That should be ISO-8859-1 of course... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL per session memory usage
Martin, Just one caution with changing the buffer sizes. During handshake, if the SSL engine gets a certificate chain, you should have space to handle it! If you do the changes I have done you may not even have to worry about changing the buffer sizes. I use memory BIOS, and the way you free the buffers and allocate them may depend on the BIO you use. When you do SSL_connect or SSL_accept, you couldknow whether the handshake is complete from the function SSL_is_init_finished(pSSL_m). While doing handshake, you could feed the received data to SSL engine and call SSL_connect or SSL_accept based on the client or server. You could use "SSL_get_error(pSSL_m, n)" to see whether the handshake is complete after calling SSL_connect/SSL_accept. The prototype code would look like this: 1. Receive data 2. Check whether the connection is complete by calling SSL_is_init_finished(pSSL_m). 3. If no, feed the data to SSL engine and call SSL_accept or SSL_connect and then call SSL_get_error. If SSL_get_error returns SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE handshake is still in progress or else the handshake is complete and you could free the buffer. The tricky part is to handle boundary conditions. When you act as a server, you want to make sure to check whether the handshake is complete once you have flushed the last finished message. Also, when you act as a client you got to make sure to check the state after you have received the last finished message. You could apply similar strategy when you send or receive application data. You also have to handle the case with SSLv2 (the easiet thing is to disable SSLv2). These changes may sound complicated. However, they are very easy to do. Just to give you confidence, I was able to do these changes within a day! -Prashant. Martin Del Vecchio [EMAIL PROTECTED] wrote: Thanks for getting back to me.I understand your strategy, and I like it a lot, and I have started to implement it. I was hopingthat you could point out all the places in OpenSSL that I need to check, to save me a littleof the grief.Where are you calling SSL_is_init_finished() to determine if the handshake is complete? InSSL_accept() and SSL_connect()? Couldn't you also check the return codes in those functions,and say that (for example) when SSL_accept() returns 1, that the handshake is complete?Similarly, In SSL_read() and SSL_write(), I am testing the return codes; when each returnssuccess ( 0), I believe it is safe to free the corresponding buffer.Also, if you still want to decrease the size of the buffers, here is what I have found andtested:1) On the write side, the buffer simply doesn't need to be 16384 bytes + all the padding. I took the definition for SSL3_RT_MAX_PLAIN_LENGTH (16384) and split it into two; one for Tx and one for Rx. I changed the Tx value to 2048, and now my code sends records of 2048 bytes max, instead of 16384.2) As for the padding; both the Tx and Rx buffers add 1024 bytes for compression expansion: #define SSL3_RT_MAX_ENCRYPTED_LENGTH (1024+SSL3_RT_MAX_COMPRESSED_LENGTH) There is a build option called OPENSSL_NO_COMP. It is not very well supported, so once I turned it on, I had to fix a lot of compiler errors and warnings. But once I got that fixed, I changed this definition so that it doesn't add the 1024 bytes if compression is disabled. So there's another 2048 bytes/connection.These changes are less important given your strategy. But I plan to implement both so that Idon't have to port to MatrixSSL.Thanks again!-Original Message-From: Prashant Kumar [mailto:[EMAIL PROTECTED]]Sent: Mon 9/26/2005 10:09 AMTo: Martin Del Vecchio; openssl-users@openssl.orgSubject: Re: SSL per session memory usageMartin,When I was looking at this, I found that the OpenSsl code uses s3-rbuf and s3-wbuf as scratch buffer. So, what I found is that, once the handshake is complete I could free these buffers safely until we have to send/receive any data on that SSL session. I reallocate s3-rbuf and s3-wbuf when I have to receive/send data on that session and free them as soon as the operation is over. I allocate these buffers from my memory pool which reduces any overhead associated with allocating and freeing buffers.The changes I have done to achieve this are completely outside the OpenSsl code because I wanted to keep changes to OpenSsl minimum. However, OpenSsl code could be changed to have the same behavior.You could use the function SSL_is_init_finished(pSSL_m) to determine whether the handshake is complete or not.Look at the function "ssl3_setup_buffers" to see how these buffers are allocated.Hopefully, this is helpful. Please feel free to send me a mail if you have more questions.- Prashant.Martin Del Vecchio [EMAIL PROTECTED] wrote:In May, you posted a series of messages to the openssl-dev mailing list about per-session memory usage.I am running into the exact same problems, and I would love to get your patches to try them
Windows BIO operation glitch
Hello. We've been looking at using OpenSSL for various comms things; we've prototyped the code on UNIX and I've started moving it over to Windows. We're using the binary distributions from Shining Light for Windows compiling with Borland C++ Builder 6.0 , the source version from OpenSSL.org for Linux. Linux works peachy. PEM_read_X509 crashes. Now, I know this is a fairly well known thing, and people said to go do the locking (which I did) and faff about with the applink bit (which is a pain) but eventually that all seems sorted. PEM_read_X509 still crashes. I've been pulling code out of the source tree and installing it in the project so I can debug it, and I've eventually narrowed it down to the calls in bss_file... the part where it calls bgets through the BIO method pointer. I can call BIO_read() without any problem, but BIO_gets() takes ages and then protection faults. I can see nothing wrong with the method that ought to be being called through that pointer so I pull that in to the project, set the pointers up for it... and everything works. So I have my own copy of int file_gets(BIO *bp, char *buf, int size) and before I call PEM_read_X509 I say; BIO_s_file()-bgets = file_gets; and now instead of crashing, the certificate loads fine. The only alteration is that now file_gets lives in the app instead of the statically linked library. My question is, is this part of some known issue that I've missed finding the documentation for? Or is this some sort of bizarre effect of the Borland link/calling conventions? Cheers for any help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Windows BIO operation glitch
On Mon, Sep 26, 2005, Katie Lucas wrote: Hello. We've been looking at using OpenSSL for various comms things; we've prototyped the code on UNIX and I've started moving it over to Windows. We're using the binary distributions from Shining Light for Windows compiling with Borland C++ Builder 6.0 , the source version from OpenSSL.org for Linux. Linux works peachy. PEM_read_X509 crashes. Now, I know this is a fairly well known thing, and people said to go do the locking (which I did) and faff about with the applink bit (which is a pain) but eventually that all seems sorted. Well the FAQ doesn't mention locking... The usual cause of this is a runtime library conflict. Some compilers (VC++ in particular) have different runtime libraries for debugging and multi-threading. If the OpenSSL shared library is linked with one runtime library version and the application uses another this can cause a conflict. One particular area which can cause problems is stdio usage which you've hit there with fgets(). The usual solution is make sure you use the same runtime library version with OpenSSL DLLs and your application. The applink code is another alternative, though I haven't tried that myself. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Encryption: Getting Started
Hi All, Could someone suggest a good book for getting started with data encryption? Thanks.-- Liberalism is trust of the people, tempered by prudence; conservatism, distrust of the people, tempered by fear.-William Gladstone -- Robert Nursehttp://www.bajansrealm.comAIM: BarbadosToNYC
PKCS#7 - storing raw data of ECDSA operation
Hello,
I have the raw signature data of a elliptic curve DSA operation from a
smart card. In addition I will have a certificate for the public key of
the elliptic curve algorithm. I want to store the results as a p7s file.
How can this be done?
I haven't found any documentation, only the in the pkcs7/sign.c file I
found something maybe interesting:
p7=PKCS7_new();
PKCS7_set_type(p7,NID_pkcs7_signed);
What's this? Is this content necessary?
si=PKCS7_add_signature(p7,x509,pkey,EVP_sha1());
if (si == NULL) goto err;
/* If you do this then you get signing time automatically added */
What does this mean?
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
OBJ_nid2obj(NID_pkcs7_data));
/* we may want to add more */
PKCS7_add_certificate(p7,x509);
/* Set the content of the signed to 'data' */
PKCS7_content_new(p7,NID_pkcs7_data);
if (!nodetach)
PKCS7_set_detached(p7,1);
Now the what is read in? The raw signature data?
if ((p7bio=PKCS7_dataInit(p7,NULL)) == NULL) goto err;
for (;;)
{
i=BIO_read(data,buf,sizeof(buf));
if (i = 0) break;
BIO_write(p7bio,buf,i);
}
if (!PKCS7_dataFinal(p7,p7bio)) goto err;
BIO_free(p7bio);
PEM_write_PKCS7(stdout,p7);
PKCS7_free(p7);
Apart from this: Must the data to be signed in DER to be valid with PKCS#7?
Thanks, Karsten
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Encryption: Getting Started
On 9/26/05, Robert Nurse [EMAIL PROTECTED] wrote: Hi All, Could someone suggest a good book for getting started with data encryption? Thanks.-- Liberalism is trust of the people, tempered by prudence; conservatism, distrust of the people, tempered by fear.-William Gladstone Try hand book of applied cryptograhy, i found it useful. :-). http://www.cacr.math.uwaterloo.ca/hac/ Shalom ark
How to run CA.all script to generate EAP-TLS certifiate
Hi,all:
I am new to freeradius world. I am trying to setup EAP-TLS using freeradius server. Would you pls tell me which cisco access point is preferred for the EAP-TLS setup?
I have installed openssl-0.9.8 and freeradius-1.0.5 on Redhat 9.0.I tried several times to generate certificate by runing CA.all script which was downloaded from www.missl.cs.umd.edu/wireless/eaptls. But each time I met same issue and failed to generate the certificates.I just typed "./CA.all" torun the script, is there any optionalparameters need I input ?(I did not update the file /usr/local/openssl/ssl/openssl.cnf and CA.all)
the following is part of the error log:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:whateverAn optional company name []:radiusUsing configuration from /usr/local/openssl/ssl/openssl.cnfEnter pass phrase for ./demoCA/private/cakey.pem: (I entered "whatever" for pass phrase, right? I don't know what is the pass phrase?)./demoCA/serial: No such file or directory (I think this file ./demoCA/serialwill be created automatically when running the CA.all, right?)error while loading serial number4427:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen('./demoCA/serial','r')4427:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:No certificate matches private key4429:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:unable to load
certificate4430:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE
Enclosed is thecompletelog of runing the script CA.all. I am not clear the root cause. Your help is very appreciated. had better provide me a successful log of running the CA.all. I don't know which information I should input when runing the CA.all.
Thanks a lot
ann
雅虎免费G邮箱-No.1的防毒防垃圾超大邮箱
雅虎助手¨D搜索、杀毒、防骚扰
run ./CA.all
##
create private key
name : name-root
CA.pl -newcert
##
Generating a 1024 bit RSA private key
...++
..++
writing new private key to 'newreq.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenTide
Organizational Unit Name (eg, section) []:IT Solution
Common Name (eg, YOUR name) []:wanghao
Email Address []:[EMAIL PROTECTED]
##
create CA
use just created 'newreq.pem' private key as filename
CA.pl -newca
##
CA certificate filename (or enter to create)
##
exporting ROOT CA
CA.pl -newreq
CA.pl -signreq
openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem
-out root.pem
openssl pkcs12 -in root.cer -out root.pem
##
MAC verified OK
##
creating client certificate
name : name-clt
client certificate stored as cert-clt.pem
CA.pl -newreq
CA.pl -signreq
##
Generating a 1024 bit RSA private key
..++
..++
writing new private key to 'newreq.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OpenTide
Organizational Unit Name (eg, section) []:IT Solution
Common Name (eg, YOUR name) []:wanghao
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:whatever
An optional company name []:radius
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
./demoCA/serial: No such file or directory
error while loading serial number
4427:error:02001002:system library:fopen:No such file or
