Question on how to use AES-128-CTR
I'm playing with various crypto libraries to encrypt/decrypt in AES-128-CTR. 2 of the 3 libs inter-operate fine with each other; i.e. I can encrypt with one and decrypt with the other and vice versa. However, when I use openssl with any of these libs, I am having problems. It seems like up to the first 16 bytes is decrypted fine. But after that, it's messed up. For example, if I use openssl to encrypt the string, 12345678901234567890, the other end will only decrypt 1234567890123456 followed by 4 bytes of garbage. And if the other lib encrypts 12345678901234567890, openssl will only decrypt 1234567890123456 followed by 4 bytes of garbage. However, if both ends is openssl, everything seems fine. But because the other 2 libs seem to work well with each other, I guess I'm not using the openssl api's correctly? Below is the code for my AES-128-CTR encrypter/decrypter class AES128CTR { protected: boolm_bEncrypt; // indicates if this is used to encrypt or decrypt AES_KEY m_key; U8 m_iv[AES_BLOCK_SIZE]; U8 m_ecount_buf[AES_BLOCK_SIZE]; U32 m_num; public: AES128CTR(const U8* key, U32 len, const U8* iv, U32 ivlen, bool bEncrypt) : m_bEncrypt(bEncrypt), m_num(0) { assert(len = 16 ivlen = 16); // if (len 16 || ivlen 16) return; // key and iv need to be 128-bits len = ivlen = 16; memcpy(m_iv, iv, ivlen); memset(m_ecount_buf, 0, sizeof(m_ecount_buf)); int ret = AES_set_encrypt_key(key, len*8/*bits*/, m_key); // returns 0 for success assert(!ret); } virtual ~AES128CTR() { } bool encrypt(const U8* in, U32 inlen, U8* out, U32* outlen) { if (m_bEncrypt) { AES_ctr128_encrypt(in, out, inlen, m_key, m_iv, m_ecount_buf, m_num); *outlen = inlen; return true; } return false; } bool decrypt(const U8* in, U32 inlen, U8* out, U32* outlen) { if (!m_bEncrypt) { // NOTE: calling AES_ctr128_encrypt to decrypt because AES_ctr128_encrypt is its own inverse. AES_ctr128_encrypt(in, out, inlen, m_key, m_iv, m_ecount_buf, m_num); *outlen = inlen; return true; } return false; } }; // this is how I encrypt data AES128CTR aesEncrypt; const char* str = 12345678901234567890; U8 ciphertext[1024]; U32 len = sizeof(ciphertext); aesEncrypt.encrypt((U8*)str, strlen(str), ciphertext, len); ... // this is how I decrypt data AES128CTR aesDecrypt; U8 plaintext[1024]; U32 len = sizeof(plaintext); aesDecrypt.decrypt(in, inlen, plaintext, len);
Be-my-own-CA certificate problems
Hello list, I'm having trouble getting ssltunnel to work; and it seems OpenSSL is the curlpit (or my undoing ofcourse). I thought i had my certificates setup correctly, but when i connect with the client to the server i get the following messages: client: ssl_connect : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed server: pppserver[26904]: ssl_accept : error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I was unable to isolate the problem to the client/server; using tcpdump did not yield any human readable input. I suspect the server is misconfigured though. It could be that it does not have read access to the ca certificate file (READ_BYTES would implicate this). But permissions are setup correctly and everything is run as root. I also tried to verify the certificates, including the trusted.pem (my own CA cert) and that yielded no errors. The server uses three OpenSSL-generated files: - trusted.pem - public certificate used for signing the other two: - server.crt - server certificate, signed by my own CA - server.key - server private key, without passphrase Ofcourse for signing i used the other files generated by OpenSSL (private CA key etc), but my application (ssltunnel) only requires these three files. I did verify these three files; OpenSSL says: # openssl x509 -subject -issuer -enddate -noout -in server.crt subject= /C=NL/CN=ONZ issuer= /C=NL/O=ONZCA/CN=ONZCA notAfter=Dec 23 02:02:32 2007 GMT This to me sounds like the certificate is valid. The server is called ONZ and the CA-cert uses ONZCA; pretty simple right? So what's going wrong? Does OpenSSL itself need access to more files; does OpenSSL want to read the certificates as a non-root user? Are my certificates bad? All certificates were created using OpenSSL 0.9.7d on FreeBSD. The ssltunnel client is a newer machine and uses 0.9.7e-p1 instead. On both machines i'm using ssltunnel 1.15 compiled using the port-version. For generating the certificates I have followed this tutorial: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ Any help is much appreciated! Thanks, - diac __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Be-my-own-CA certificate problems
Hello list, I'm having trouble getting ssltunnel to work; and it seems OpenSSL is the curlpit (or my undoing ofcourse). I thought i had my certificates setup correctly, but when i connect with the client to the server i get the following messages: client: ssl_connect : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed server: pppserver[26904]: ssl_accept : error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I was unable to isolate the problem to the client/server; using tcpdump did not yield any human readable input. I suspect the server is misconfigured though. It could be that it does not have read access to the ca certificate file (READ_BYTES would implicate this). But permissions are setup correctly and everything is run as root. I also tried to verify the certificates, including the trusted.pem (my own CA cert) and that yielded no errors. The server uses three OpenSSL-generated files: - trusted.pem - public certificate used for signing the other two: - server.crt - server certificate, signed by my own CA - server.key - server private key, without passphrase Ofcourse for signing i used the other files generated by OpenSSL (private CA key etc), but my application (ssltunnel) only requires these three files. I did verify these three files; OpenSSL says: # openssl x509 -subject -issuer -enddate -noout -in server.crt subject= /C=NL/CN=ONZ issuer= /C=NL/O=ONZCA/CN=ONZCA notAfter=Dec 23 02:02:32 2007 GMT This to me sounds like the certificate is valid. The server is called ONZ and the CA-cert uses ONZCA; pretty simple right? So what's going wrong? Does OpenSSL itself need access to more files; does OpenSSL want to read the certificates as a non-root user? Are my certificates bad? All certificates were created using OpenSSL 0.9.7d on FreeBSD. The ssltunnel client is a newer machine and uses 0.9.7e-p1 instead. On both machines i'm using ssltunnel 1.15 compiled using the port-version. For generating the certificates I have followed this tutorial: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ Any help is much appreciated! Thanks, - diac __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]