Re: 9.8a Debug version

2006-03-09 Thread jimmy 

Venkata Sairam wrote:

Hi,

I am currently using the debug version of Open SSL 9.7e. I am encountering
some problems in getting the debug version of 9.8a. I currently have the
dlls for the 9.8a but I don't have the pdb files. I would need to use
RSA-PSS using the new dell and perform some debug operations.

Can anyone please post the *.pdb files for 9.8a debug version?

Thanks.

Venkata


Mmm. why not build them yourself?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: 9.8a Debug version

2006-03-09 Thread Venkata Sairam 
Hi

I am encountering certain problems when building it for 9.8a. I am currently
able to get only about 30 pdb files for the 9.8a debug version. I believe it
is not the complete set as I am not able to perform any debug operations in
the openssl code.

Can anyone who has build the debug version for 9.8a please post all the
files needed to debug?

Thanks.

-Venkata


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of jimmy
Sent: Thursday, March 09, 2006 4:14 PM
To: openssl-users@openssl.org
Subject: Re: 9.8a Debug version


Venkata Sairam wrote:
 Hi,

 I am currently using the debug version of Open SSL 9.7e. I am encountering
 some problems in getting the debug version of 9.8a. I currently have the
 dlls for the 9.8a but I don't have the pdb files. I would need to use
 RSA-PSS using the new dell and perform some debug operations.

 Can anyone please post the *.pdb files for 9.8a debug version?

 Thanks.

 Venkata

Mmm. why not build them yourself?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: PKCS7_verify with CRL

2006-03-09 Thread Venkata Sairam 
Hi,

Thanks for the reply.

I want to perform only a CRL check and not a chain verification. My CRL is
present in the store parameter. I have set the flag for CRL_CHECK for the
store parameter.

May I know the flag that needs to be set for the
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
*indata, BIO *out, int flags);

I tested using the PKCS7_NOVERIFY, but this doesn't check for the CRL. Is
there any flag that I can set to perform only CRL check and not a chain
verification?

Thanks

-Venkata



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Thursday, March 02, 2006 8:41 PM
To: openssl-users@openssl.org
Subject: Re: PKCS7_verify with CRL


On Thu, Mar 02, 2006, Venkata Sairam wrote:

 Hi

 I have the PKCS7 object signed by a certificate. The certificate is
revoked
 and I have the corresponding CRL. I have the certificate in the certs
 variable and the CRL in the store variable. I am using the method below:

 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
 *indata, BIO *out, int flags);

 Does the method PKCS7_verify verify the certificates in 'certs' against
the
 CRLs present in the 'store'?


If the crl checking flags are set in the store yes.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: 9.8a Debug version

2006-03-09 Thread jimmy 

Venkata Sairam wrote:

Hi

I am encountering certain problems when building it for 9.8a. I am currently
able to get only about 30 pdb files for the 9.8a debug version. I believe it
is not the complete set as I am not able to perform any debug operations in
the openssl code.

Can anyone who has build the debug version for 9.8a please post all the
files needed to debug?

Thanks.

-Venkata

Do you mean you are not able to debug the openssl.exe or the openssl 
library generated?


Could you give more information on what you did to include debug info? 
If it's the openssl.exe maybe you haven't included /DEBUG option with 
the link options or you can try using /Z7 for builtin debug info rather 
than the /Zi.


Does this help?

-jb
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Question about password-based encryption key generation

2006-03-09 Thread uno wand 

Hi,

Could someone point me to an example on how to generate encryption from 
password

using Openssl?

I have a java application that uses HmacSHA to generate encryption key from 
a

password, and the encrypted msg is send to the C application. Both Java and
C apps shared the same password and salt, and the Java app is using 
AES/128/CBC

to do the encryption.

I just want an example on how to generate key using Openssl, especially on 
how

to get to same result as in Java.

Thanks in advance for any hint.

uno

_
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Question about password-based encryption key generation

2006-03-09 Thread Brian Candler 
On Thu, Mar 09, 2006 at 05:33:42AM -0600, uno wand wrote:
 I have a java application that uses HmacSHA to generate encryption key from 
 a
 password, and the encrypted msg is send to the C application. Both Java and
 C apps shared the same password and salt, and the Java app is using 
 AES/128/CBC
 to do the encryption.
 
 I just want an example on how to generate key using Openssl, especially on 
 how
 to get to same result as in Java.

HMAC-SHA1 is explained in RFC 2104, with some test cases in RFC 2202, so you
can check both your Java and C implementations are correct independently.

HMAC does not define how to use a salt. Therefore, you will need to take
apart your Java application, and work out exactly how it combines the
password and salt before passing them to the HMAC function. Then you can
implement the same in your C program.

HTH,

Brian.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Question about password-based encryption key generation

2006-03-09 Thread uno wand 

Never mind, I found the function PKCS5_PBKDF2_HMAC_SHA1().




Hi,

Could someone point me to an example on how to generate encryption from 
password

using Openssl?

I have a java application that uses HmacSHA to generate encryption key from 
a

password, and the encrypted msg is send to the C application. Both Java and
C apps shared the same password and salt, and the Java app is using 
AES/128/CBC

to do the encryption.

I just want an example on how to generate key using Openssl, especially on 
how

to get to same result as in Java.

Thanks in advance for any hint.



_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: X509 cetificate! HELP!D!=!-!)

2006-03-09 Thread Doug Frippon 
I most admit that I haven`t tried that search exactly but I ve got
this error with ISAKMPD adn try with that instead of openssl.
Thx
But I'd like to know what should I do with all the certs that I have
to create. Which should go on the host pc (my OBSD where the CA is and
etc...) and wich on the user pc
THX

On 3/8/06, Brian Candler [EMAIL PROTECTED] wrote:
 On Wed, Mar 08, 2006 at 03:10:23PM -0500, Doug Frippon wrote:
  Hi, I am trying to generate certificate that i,ll be using for a ipsec
  segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD
  for this on the OBSD side and the security filter on Windows. If I use
  a pre-shared key everything is fine but with the certificate I'm
  almost became mad. I'd like to know how to create X.509 certificate
  with subjectAltName.

 Did you try:
 http://www.google.com/search?q=openssl+subjectaltname

 You'll see lots of pages there explaining how to do it.

 If you want a simplified solution, I suggest TinyCA:
 http://tinyca.sm-zone.net/

 This really just the openssl CA, but with a perl GUI (gtk) wrapper around
 it. You can easily configure it so that it prompts you for a subjectAltName
 at the time that each certificate is signed; this can contain either a
 domain name, an IP address, or an E-mail address.

 If you want it *really* easy, then just burn a CD of roCA:
 http://www.intrusion-lab.net/roca/

 This is a bootable Knoppix (Linux) CD with TinyCA pre-installed. Just add a
 USB flash pen and you have a standalone fully-functioning openssl CA with
 fluffy GUI, without installing anything. I find a second USB pen is useful
 for copying CSRs to the CA and copying the certificates back again.

 HTH,

 Brian.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: X509 cetificate! HELP!D!=!-!)

2006-03-09 Thread Brian Candler 
On Thu, Mar 09, 2006 at 09:13:05AM -0500, Doug Frippon wrote:
 I most admit that I haven`t tried that search exactly but I ve got
 this error with ISAKMPD adn try with that instead of openssl.
 Thx
 But I'd like to know what should I do with all the certs that I have
 to create. Which should go on the host pc (my OBSD where the CA is and
 etc...) and wich on the user pc

Well, you originally asked how to use OpenSSL to create certificates with
subjectAltName.

You are now asking a different question, which is very specific to OpenBSD's
IPSEC/IKE implementation. I'd suggest that you are more likely to get an
answer on an OpenBSD mailing list.

When you post there, make sure you post your full pluto/isakmpd config, a
dump of your certificates, and all the relevant log entries which are
generated when you attempt to bring up a connection.

If you have a working configuration using PSK, then you could post that too,
as it probably only needs a few tweaks to turn it into a certificate-based
one.

Regards,

Brian.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Use of engines in 0.9.8a -- can't use that engine errors

2006-03-09 Thread Warren Gavin 

Hello,

I have installed OpenSSL 0.9.8a and have been trying to get it to work 
with an nCipher nShield HSM.


I get the following error when running various openssl commands, e.g.

$ openssl genrsa -engine chil 512
can't use that engine
2258:error:84067072:CHIL engine:HWCRHK_INIT:locking 
missing:e_chil.c:594:You HAVE to add dynamic locking callbacks via 
CRYPTO_set_dynlock_{create,lock,destroy}_callback()
2258:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init 
failed:eng_table.c:161:


I have set LD_LIBRARY_PATH to include /opt/nfast/toolkits/hwcrhk. Is 
there something else I'm missing, or has the introduction of the 
'dynamic' type caused some temporary instability in 0.9.8a?


Regards


Warren
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: X509 cetificate! HELP!D!=!-!)

2006-03-09 Thread Doug Frippon 
I'm not sure that I should post it on a OpenBSD mailling list because
my ISAKMPD is working well with pre-shared key. The only bog come from
the certificate. I know that I should create a CA certificate, a
certificate for the OBSD and one for the remote user. but what should
I export to OpenBSD and remote user??? and I did a search with openssl
and altSubjectName that why I didn't found anything!! My bad. In
simple word, my question is does my two host need to have their
certificate, the remote certificate, the CA certificate, and their
private key???
I think it must have the remote cert, the local cert and the
corresponding priv key but not sure about CA cert???
Thx to all for help!!!

On 3/9/06, Brian Candler [EMAIL PROTECTED] wrote:
 On Thu, Mar 09, 2006 at 09:13:05AM -0500, Doug Frippon wrote:
  I most admit that I haven`t tried that search exactly but I ve got
  this error with ISAKMPD adn try with that instead of openssl.
  Thx
  But I'd like to know what should I do with all the certs that I have
  to create. Which should go on the host pc (my OBSD where the CA is and
  etc...) and wich on the user pc

 Well, you originally asked how to use OpenSSL to create certificates with
 subjectAltName.

 You are now asking a different question, which is very specific to OpenBSD's
 IPSEC/IKE implementation. I'd suggest that you are more likely to get an
 answer on an OpenBSD mailing list.

 When you post there, make sure you post your full pluto/isakmpd config, a
 dump of your certificates, and all the relevant log entries which are
 generated when you attempt to bring up a connection.

 If you have a working configuration using PSK, then you could post that too,
 as it probably only needs a few tweaks to turn it into a certificate-based
 one.

 Regards,

 Brian.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: X509 cetificate! HELP!D!=!-!)

2006-03-09 Thread Brian Candler 
On Thu, Mar 09, 2006 at 10:46:51AM -0500, Doug Frippon wrote:
 I'm not sure that I should post it on a OpenBSD mailling list because
 my ISAKMPD is working well with pre-shared key. The only bog come from
 the certificate. I know that I should create a CA certificate, a
 certificate for the OBSD and one for the remote user. but what should
 I export to OpenBSD and remote user???

That's very much an application question.

I don't use OBSD so I can only talk in generalities. OBSD needs to have a
private key, and it needs to have a certificate containing the public key
corresponding to its private key. The same applies at the client end.

Additionally, both OBSD and the client need to have the root CA certificate
for your CA in the right place.

How exactly you do this is very much a question on how you configure OBSD,
and how you configure the client.

 and I did a search with openssl
 and altSubjectName that why I didn't found anything!! My bad. In
 simple word, my question is does my two host need to have their
 certificate, the remote certificate, the CA certificate, and their
 private key???

Almost. Each host needs to have their own private key, their own
certificate, and the CA certificate, in the right places. When the isakmp
exchange takes place, each side will present its certificate to the other
side. So you don't need to store the other side's certificate anywhere.

Brian.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

SSL_ERROR_SSL on SSL_write

2006-03-09 Thread CHIN, LEY-HUA \(Ginger\), ALABS 



Hi,

I need help in 
SSL_ERROR_SSL error ..

I got 
"SSL_ERROR_SSL" often in SSL_write(), I don't know what causes this error and I 
don't know how to reset or correctthis condition. The docs I found 
just said it's a "protocol error" andcan anyone elaborate more what's 
"protocol error"?Sometimes ( not all the time ),once I got 
this error, the session stuck in this error until I terminated the 
session. Any help will be greatly 
appreciated!!!


Ginger 
Chin

ATT Labs
Gateway System Development
MS: Area 12 / Room 716
4513 Western Avenue
Lisle, IL 60532

(630) 810 7675

Re: X509 cetificate! HELP!D!=!-!)

2006-03-09 Thread Doug Frippon 
Thx Brian that's exactly what I was trying to figure out. For the part
on where cert goes and how to tell apps to use it it's ok but almost
from the begining, I though that my cert have been made incorrectly so
that's why I was postinghere. From that point I should be able to make
it work. thanks to you for all the help you provide me.
Doug2die4 =-)

On 3/9/06, Brian Candler [EMAIL PROTECTED] wrote:
 On Thu, Mar 09, 2006 at 10:46:51AM -0500, Doug Frippon wrote:
  I'm not sure that I should post it on a OpenBSD mailling list because
  my ISAKMPD is working well with pre-shared key. The only bog come from
  the certificate. I know that I should create a CA certificate, a
  certificate for the OBSD and one for the remote user. but what should
  I export to OpenBSD and remote user???

 That's very much an application question.

 I don't use OBSD so I can only talk in generalities. OBSD needs to have a
 private key, and it needs to have a certificate containing the public key
 corresponding to its private key. The same applies at the client end.

 Additionally, both OBSD and the client need to have the root CA certificate
 for your CA in the right place.

 How exactly you do this is very much a question on how you configure OBSD,
 and how you configure the client.

  and I did a search with openssl
  and altSubjectName that why I didn't found anything!! My bad. In
  simple word, my question is does my two host need to have their
  certificate, the remote certificate, the CA certificate, and their
  private key???

 Almost. Each host needs to have their own private key, their own
 certificate, and the CA certificate, in the right places. When the isakmp
 exchange takes place, each side will present its certificate to the other
 side. So you don't need to store the other side's certificate anywhere.

 Brian.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Kerberos support

2006-03-09 Thread Prashant Kumar 
Hello All,Does OpenSsl has support for Kerberos Ciphers? Is ther any documentation or example how to use the Kerberos ciphers ?Thank you for your help.Regards,  Prashant.
		Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze.

Re: Choice of CAs in SSL/TLS handshake

2006-03-09 Thread Peter Sylvester 


I think you are right about the current behaviour
When filling up the intermediate stack, the x609 verify cert break when the
verifydepth is reached as far as I see from the code, but it seems that
the ssl library doesn't set a verify depth?




But in this case the verifydepth would work I think.




Yes but the client will still send the user certificate, one intermediate
CA and optionally the root CA. OpenSSL will use those to build as much of the
path as possible and try to complete it using the trusted store. When it
can't find the root CA in that store it will fail.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


  



--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité; 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. 



smime.p7s
Description: S/MIME Cryptographic Signature

Encryption / Decryption from file

2006-03-09 Thread Manuel Arguelles 
Hello list,

I'm new here, I'm trying to encrypt / decrypt text in a file using the rc4, 
the problem is that I'm not getting good results, here's what I'm doing for 
encryption:

#include stdio.h
#include stdlib.h
#include openssl/bio.h
#include openssl/evp.h

int main(void)
{
char buf[1024];
int total, len, written;
BIO *file = BIO_new_file(out.bin, w);
BIO *buffer = BIO_new(BIO_f_buffer());
BIO *cipher = BIO_new(BIO_f_cipher());

strcpy(buf, Simple Text to Encrypt);

BIO_set_cipher(cipher, EVP_rc4(), mysecretkey, NULL, 1);

BIO_push (cipher, buffer);
BIO_push (buffer, file);

len = strlen(buf);
written = 0;
for (total = 0; total  len; total += written) {
if ((written = BIO_write(cipher, buf + total, len - total)) = 
0) {
if (BIO_should_retry(cipher)) {
written =0;
continue;
}
break;
}
}
BIO_flush(cipher);
BIO_free_all(cipher);
}

compiled it, and when executed I get a out.bin, then when I try to decrypt it 
it fails:

$ openssl enc -d -rc4 -in out.bin -k mysecretkey
bad magic number

what I'm I doing wrong? maybe the -k -K -iv options? as BIO_set_cipher as well 
maybe?

Regards and thank for your time
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Encryption / Decryption from file

2006-03-09 Thread Kyle Hamilton 
'bad magic number' could actually be an OS error.  Has that openssl
binary worked for you before on other commands?

-Kyle H

On 3/9/06, Manuel Arguelles [EMAIL PROTECTED] wrote:
 Hello list,

 I'm new here, I'm trying to encrypt / decrypt text in a file using the rc4,
 the problem is that I'm not getting good results, here's what I'm doing for
 encryption:

 #include stdio.h
 #include stdlib.h
 #include openssl/bio.h
 #include openssl/evp.h

 int main(void)
 {
 char buf[1024];
 int total, len, written;
 BIO *file = BIO_new_file(out.bin, w);
 BIO *buffer = BIO_new(BIO_f_buffer());
 BIO *cipher = BIO_new(BIO_f_cipher());

 strcpy(buf, Simple Text to Encrypt);

 BIO_set_cipher(cipher, EVP_rc4(), mysecretkey, NULL, 1);

 BIO_push (cipher, buffer);
 BIO_push (buffer, file);

 len = strlen(buf);
 written = 0;
 for (total = 0; total  len; total += written) {
 if ((written = BIO_write(cipher, buf + total, len - total)) =
 0) {
 if (BIO_should_retry(cipher)) {
 written =0;
 continue;
 }
 break;
 }
 }
 BIO_flush(cipher);
 BIO_free_all(cipher);
 }

 compiled it, and when executed I get a out.bin, then when I try to decrypt it
 it fails:

 $ openssl enc -d -rc4 -in out.bin -k mysecretkey
 bad magic number

 what I'm I doing wrong? maybe the -k -K -iv options? as BIO_set_cipher as well
 maybe?

 Regards and thank for your time
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Encryption / Decryption from file

2006-03-09 Thread Dr. Stephen Henson 
On Thu, Mar 09, 2006, Manuel Arguelles wrote:

 
 $ openssl enc -d -rc4 -in out.bin -k mysecretkey
 bad magic number
 
 what I'm I doing wrong? maybe the -k -K -iv options? as BIO_set_cipher as 
 well 
 maybe?
 

With the default options the 'enc' command uses a salted key derivation
algorithm which avoids certain known plaintext attacks. Those are particularly
important with stream ciphers such as RC4. It also includes some data at the
beggining of the data so that form can be recognized.

Your program seems to be using the passphrase directly as the key. So the two
formats are incompatible and the 'enc' program is detecting that.

You can make the 'enc' command do the same if you use the -nosalt option.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Encryption / Decryption from file

2006-03-09 Thread Manuel Arguelles 
well yes:

$ cat in.txt
hello
$ openssl enc -e -rc4 -out out.bin -k mysecretkey -in in.txt
$ openssl enc -d -rc4 -in out.bin -k mysecretkey
hello

and the openssl api should be compatible with the binary cli right??

Regards

On Thu 09 Mar 2006 18:05, Kyle Hamilton wrote:
 'bad magic number' could actually be an OS error.  Has that openssl
 binary worked for you before on other commands?

 -Kyle H

 On 3/9/06, Manuel Arguelles [EMAIL PROTECTED] wrote:
  Hello list,
 
  I'm new here, I'm trying to encrypt / decrypt text in a file using the
  rc4, the problem is that I'm not getting good results, here's what I'm
  doing for encryption:
 
  #include stdio.h
  #include stdlib.h
  #include openssl/bio.h
  #include openssl/evp.h
 
  int main(void)
  {
  char buf[1024];
  int total, len, written;
  BIO *file = BIO_new_file(out.bin, w);
  BIO *buffer = BIO_new(BIO_f_buffer());
  BIO *cipher = BIO_new(BIO_f_cipher());
 
  strcpy(buf, Simple Text to Encrypt);
 
  BIO_set_cipher(cipher, EVP_rc4(), mysecretkey, NULL, 1);
 
  BIO_push (cipher, buffer);
  BIO_push (buffer, file);
 
  len = strlen(buf);
  written = 0;
  for (total = 0; total  len; total += written) {
  if ((written = BIO_write(cipher, buf + total, len -
  total)) = 0) {
  if (BIO_should_retry(cipher)) {
  written =0;
  continue;
  }
  break;
  }
  }
  BIO_flush(cipher);
  BIO_free_all(cipher);
  }
 
  compiled it, and when executed I get a out.bin, then when I try to
  decrypt it it fails:
 
  $ openssl enc -d -rc4 -in out.bin -k mysecretkey
  bad magic number
 
  what I'm I doing wrong? maybe the -k -K -iv options? as BIO_set_cipher as
  well maybe?
 
  Regards and thank for your time
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing Listopenssl-users@openssl.org
  Automated List Manager   [EMAIL PROTECTED]

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Encryption / Decryption from file

2006-03-09 Thread Manuel Arguelles 
you mean like this?

$ openssl enc -d -rc4 -in out.bin -k mysecretkey -nosalt
¨Å¥
óVRCÑÆMðù6o

or maybe using the -K -iv options

key[0]=0xA0; key[1]=0xA1;
iv[0]=0xB0; iv[1]=0xB1;
BIO_set_cipher(cipher, EVP_rc4(), key, iv, 1);

can I use
openssl enc -d -rc4 -in out.bin -K A0A1 -iv B0B1

??


On Thu 09 Mar 2006 18:23, Dr. Stephen Henson wrote:
 On Thu, Mar 09, 2006, Manuel Arguelles wrote:
  $ openssl enc -d -rc4 -in out.bin -k mysecretkey
  bad magic number
 
  what I'm I doing wrong? maybe the -k -K -iv options? as BIO_set_cipher as
  well maybe?

 With the default options the 'enc' command uses a salted key derivation
 algorithm which avoids certain known plaintext attacks. Those are
 particularly important with stream ciphers such as RC4. It also includes
 some data at the beggining of the data so that form can be recognized.

 Your program seems to be using the passphrase directly as the key. So the
 two formats are incompatible and the 'enc' program is detecting that.

 You can make the 'enc' command do the same if you use the -nosalt option.

 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
 OpenSSL project core developer and freelance consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Encryption / Decryption from file

2006-03-09 Thread Dr. Stephen Henson 
On Thu, Mar 09, 2006, Manuel Arguelles wrote:

 you mean like this?
 
 $ openssl enc -d -rc4 -in out.bin -k mysecretkey -nosalt
 ¨Å¥
 óVRCÑÆMðù6o
 
 or maybe using the -K -iv options
 
 key[0]=0xA0; key[1]=0xA1;
 iv[0]=0xB0; iv[1]=0xB1;
 BIO_set_cipher(cipher, EVP_rc4(), key, iv, 1);
 
 can I use
 openssl enc -d -rc4 -in out.bin -K A0A1 -iv B0B1
 

Well RC4 is a stream cipher meaning that it doesn't have an IV. Also the
buffer passed to the key argument must contain a key of the required length.
If it isn't it will use whatever data is in memory after the supplied pointer.

In the case of RC4 the default length is 128 bits so for test purposes use a
string with exactly 16 characters in it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

MGF1 function

2006-03-09 Thread Ken Goldman 
Is there some reason that the MGF1 function is not exposed?

In the Unix port, one can simply create a prototype and use the
function.  However, Windows requires explicit export.  So unless I
rebuild openSSL for Windows, I can't get to the function.

-- 
Ken Goldman   [EMAIL PROTECTED]   914-784-7646
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]