unsolved memory leak
Hello, I'm working on a client - multithreaded-server application, both side authenticating each other with auto-signed certs. After lots of adventures, I finally end-up with a memory leak problem which is detected using valgrind (and crazy self-test with tons of clients connecting to the server). When the server is asked to leave, then valgrind complains about unallocated memory (allocated in server's threads, one per connection from clients): c_ssl = SSL_new(c_ctx); c_ssl_client = BIO_new_socket(c_peer_sock, BIO_NOCLOSE); SSL_set_bio(c_ssl, c_ssl_client, c_ssl_client); c_buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */ -- c_ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */ BIO_set_ssl(c_ssl_bio, c_ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */ BIO_push(c_buf_io, c_ssl_bio); /* add c_ssl_bio to c_buf_io */ This BIO_new(BIO_f_ssl()) is leaking and apparently I do not know how to release it. What I do when a server's thread has finished working is: if (c_buf_io) BIO_free(c_buf_io); if (c_ssl_client) BIO_free_all(c_ssl_client); if (c_ssl) SSL_free(c_ssl); // memory leak !! (this BIO_free() segfaults) //if (c_ssl_bio) // BIO_free(c_ssl_bio); // from http://readlist.com/lists/openssl.org/openssl-users/0/1352.html // (no effect) ERR_remove_state(0); ERR_free_strings(); // might be useless Surely I'm doing something wrong, and I'd be glad if some experts from you could lighten me :-) Best regards, David Gauchard Valgrind logs : ==5410== 1,597,904 (699,608 direct, 898,296 indirect) bytes in 10,931 blocks are definitely lost in loss record 15 of 15 ==5410==at 0x401D38B: malloc (vg_replace_malloc.c:149) ==5410==by 0x430556D: default_malloc_ex (mem.c:79) ==5410==by 0x4305BD8: CRYPTO_malloc (mem.c:304) ==5410==by 0x4364225: BIO_new (bio_lib.c:70) ==5410==by 0x8055B4E: (c_ssl_bio = BIO_new(BIO_f_ssl());) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to load and use ccgost
Hi I've compiled the openssl 0.9.9 (checked out from cvs), both on Windows and Linux. My problem is that ccgost loads successfully, but when I try to compute a hash (-md_gost94) or do encryption, a runtime error generates (It says that error has occurred in libeay32.dll; on linux, segmentation fault occurres) Could you give me some hints about the correct use of ccgost ? Am I doing something wrong ?
Re: Issue with encrypting emails using openssl
Hi, Can you elaborate on the steps you have performed on configuring your outlook. Regards Krishna On Wed, May 14, 2008 at 5:35 PM, Viresh Singh [EMAIL PROTECTED] wrote: Hi I am trying to create a certificate authority. I am trying secure emails from my clients to my server. The client certificates import fine. Trying to send a signed email work fine but encrypting the email does not. It states that the intended recipient has missing or invalid certificates, or conflicting or unsupported encryption capabilities. I am using openssl version 0.9.8g, using Microsoft Outlook as the email client. Any help will much be appreciated. Thanks, Viresh Singh Developer Any unauthorized use or interception of this e-mail is illegal. If this e-mail is not intended for you, you may not copy, distribute or disclose the contents to anyone. Save for bona fide company matters, Next Generation Network Telecommunications (Pty) Ltd do not accept any responsibility for the opinions expressed in this e-mail. No binding contract will result from this e-mail until such time as a written agreement is signed by the parties and subject to the approval of the board of directors of Next Generation Network Telecommunications (Pty) Ltd. Any concepts and ideas in this e-mail have been developed by Next Generation Network Telecommunications (Pty) Ltd and is property to Next Generation Network Telecommunications (Pty) Ltd. Such information is to be kept confidential and cannot be divulged. Any unauthorized disclosure may cause Next Generation Network Telecommunications (Pty) Ltd substantial losses. Any disclosure, re-transmission, dissemination or any other use of this information is strictly prohibited. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems parsing ASN1_SEQUENCE
Hi all. Here is my problem. I have a P7M file with 2 signatures. Every signature contains a countersignature. I've already successfully parsed the P7M file, and I've got the two Signature infos. What I do next is: ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); printf (SEQUENCE ? %d\n, V_ASN1_SEQUENCE == res-type); The output is SEQUENCE ? 1 So, I'm sure I got an ASN1_SEQUENCE. How can I loop through the values of the sequence? Do I have to convert it to a STACK_OF(PKCS7_SIGNER_INFO) ? If yes, how can I do it (sorry, I'm not very expert about OpenSSL...) ? Thank you all very much!! Regards. Massimiliano Ziccardi __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem with ASN1_SEQUENCE
Hi all. Here is my problem. I have a P7M file with 2 signatures. Every signature contains a countersignature. I've already successfully parsed the P7M file, and I've got the two Signature infos. What I do next is: ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); printf (SEQUENCE ? %d\n, V_ASN1_SEQUENCE == res-type); The output is SEQUENCE ? 1 So, I'm sure I got an ASN1_SEQUENCE. How can I loop through the values of the sequence? Do I have to convert it to a STACK_OF(PKCS7_SIGNER_INFO) ? If yes, how can I do it (sorry, I'm not very expert about OpenSSL...) ? Thank you all very much!! Regards. Massimiliano Ziccardi
Re: Problem with ASN1_SEQUENCE
On Mon, May 19, 2008, Massimiliano Ziccardi wrote: Hi all. Here is my problem. I have a P7M file with 2 signatures. Every signature contains a countersignature. I've already successfully parsed the P7M file, and I've got the two Signature infos. What I do next is: ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); printf (SEQUENCE ? %d\n, V_ASN1_SEQUENCE == res-type); The output is SEQUENCE ? 1 So, I'm sure I got an ASN1_SEQUENCE. How can I loop through the values of the sequence? Do I have to convert it to a STACK_OF(PKCS7_SIGNER_INFO) ? If yes, how can I do it (sorry, I'm not very expert about OpenSSL...) ? You need to extract the ASN1_STRING structure form ASN1_TYPE and then its data and length. If you pass those through d2i_PKCS7_SIGNER_INFO() you'll get the parsed structure. Note that the above will only retrieve a single countersignature. There could be more than on per SignerInfo structure. If you want to see if there is more than one you need to loop round all attributes of the correct type. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with ASN1_SEQUENCE
Hi Stephen. Thank you very much! This is my code (just a snippet): STACK_OF(X509_ATTRIBUTE)* unauth_attr = pSignerInfo-unauth_attr; ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); Now, res should point to a SEQUENCE of COUNTER SIGNATUREs. You told: You need to extract the ASN1_STRING structure form ASN1_TYPE and then its data and length you mean: res-value.sequence-data res-value.sequence-length ? Then: If you want to see if there is more than one you need to loop round all attributes of the correct type. If I'm not wrong, those counter signatures should be all inside the same ASN1 Sequence, right? How can I loop through all the ASN1 Sequence elements? Thanks you very much! Regards, Massimiliano Ziccardi On Mon, May 19, 2008 at 12:17 PM, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, May 19, 2008, Massimiliano Ziccardi wrote: Hi all. Here is my problem. I have a P7M file with 2 signatures. Every signature contains a countersignature. I've already successfully parsed the P7M file, and I've got the two Signature infos. What I do next is: ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); printf (SEQUENCE ? %d\n, V_ASN1_SEQUENCE == res-type); The output is SEQUENCE ? 1 So, I'm sure I got an ASN1_SEQUENCE. How can I loop through the values of the sequence? Do I have to convert it to a STACK_OF(PKCS7_SIGNER_INFO) ? If yes, how can I do it (sorry, I'm not very expert about OpenSSL...) ? You need to extract the ASN1_STRING structure form ASN1_TYPE and then its data and length. If you pass those through d2i_PKCS7_SIGNER_INFO() you'll get the parsed structure. Note that the above will only retrieve a single countersignature. There could be more than on per SignerInfo structure. If you want to see if there is more than one you need to loop round all attributes of the correct type. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with ASN1_SEQUENCE
On Mon, May 19, 2008, Massimiliano Ziccardi wrote: Hi Stephen. Thank you very much! This is my code (just a snippet): STACK_OF(X509_ATTRIBUTE)* unauth_attr = pSignerInfo-unauth_attr; ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); Now, res should point to a SEQUENCE of COUNTER SIGNATUREs. No it contains the encoding of a single counter signature. The specs state that you can have either one ore more counter signature attributes or more than one countersignature per attribute. You need to iterate over the attributes and each attribute to find all countersignatures. That is a bit messy and there should really be a function to do this. You told: You need to extract the ASN1_STRING structure form ASN1_TYPE and then its data and length you mean: res-value.sequence-data res-value.sequence-length ? You should avoid accessing structures directly where possible but there isn't anything here which can extract the data. So you need something like... ASN1_STRING *csig = res-value.sequence; Then get the length with ASN1_STRING_length() and its data with ASN1_STRING_data(). Then pass those through d2i_PKCS7_SIGNER_INFO() see FAQ and docs for details and pitfalls. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.24 released
Dear Users, I have just released a new version of stunnel, which fixes a security issue in the OCSP functionality. The bug allows a revoked certificate to successfully authenticate. Any installations with OCSP enabled should be upgraded ASAP. Other users are not affected. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.24.tar.gz file: ec6db4080199d11e020b780da0f1cc37d37d9233 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with ASN1_SEQUENCE
Hi Stephen. Thank you for your answer, and excuse me if my questions can look stupid to you, but your answer made me a little bit confused (probably that's 'cause I'm a newbie with openssl...). Following your directions, I've been able to parse the first counter signature of every signature. My confusion is about this : You need to iterate over the attributes and each attribute to find all countersignatures. How can I iterate since PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); returns just one object? And I still can't find anywhere how I can loop through the elements of a sequence... I've looked very much in the mailing list archive and in the FAQ, but I couldn't find any good answer... Thank you for your help and your time. Regards, Massimiliano Ziccardi On Mon, May 19, 2008 at 1:30 PM, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, May 19, 2008, Massimiliano Ziccardi wrote: Hi Stephen. Thank you very much! This is my code (just a snippet): STACK_OF(X509_ATTRIBUTE)* unauth_attr = pSignerInfo-unauth_attr; ASN1_TYPE *res = PKCS7_get_attribute(m_pSignerInfo, NID_pkcs9_countersignature); Now, res should point to a SEQUENCE of COUNTER SIGNATUREs. No it contains the encoding of a single counter signature. The specs state that you can have either one ore more counter signature attributes or more than one countersignature per attribute. You need to iterate over the attributes and each attribute to find all countersignatures. That is a bit messy and there should really be a function to do this. You told: You need to extract the ASN1_STRING structure form ASN1_TYPE and then its data and length you mean: res-value.sequence-data res-value.sequence-length ? You should avoid accessing structures directly where possible but there isn't anything here which can extract the data. So you need something like... ASN1_STRING *csig = res-value.sequence; Then get the length with ASN1_STRING_length() and its data with ASN1_STRING_data(). Then pass those through d2i_PKCS7_SIGNER_INFO() see FAQ and docs for details and pitfalls. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Update: !!! [AEC CBC decryption] Decrypted data Length problem (AES_cbc_encrypt)...
*Sorry for the first mail!!* Hi all, I'm new on openssl development, so I'm sorry if that a beginner's question . I'm trying to decrypt a *base64 AES CBC* encrypted data (using the *AES_cbc_encrypt*). The base64 encoding/decoding works fine. the code below works depending on data length: - The example with : data =*This is a long very long test* works fine, I have the good decrypted data. - The second one *This is a test* doesn't work... I read somewhere that's depending of data padding... Have you any idea?? .. int main(int argc, char *argv[]) { unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char iv1[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char* data =This is a test; //unsigned char* data =This is a long very long test; unsigned char* buffer = (char *) malloc(60); unsigned char* buffer1 = (char *) malloc(60); unsigned long bufferLength= (ceil(strlen(data)/16)+1)*16; AES_KEY aeskeyEnc, aeskeyDec; AES_set_encrypt_key (key, KeyLength*8, aeskeyEnc); AES_set_decrypt_key (key, KeyLength*8, aeskeyDec); /*Encrypting...*/ AES_cbc_encrypt(data, buffer, bufferLength, aeskeyEnc, iv, AES_ENCRYPT); //AES_cbc_encrypt(data, buffer, strlen(data), aeskeyEnc, iv, AES_ENCRYPT); printf(Encrypted data: %s\n,buffer); /*To Base64 encrypted data */ char *base64Buffer = base64(buffer, strlen(buffer)); printf(Base64 Encrypted data: %s\n,base64Buffer); /* Unbase64 of encrypted data*/ char* test_1 = strcat(base64Buffer,\n\0); char* unBase64 = unbase64(base64Buffer, strlen(base64Buffer)); /*Decypting unBase64...*/ AES_cbc_encrypt(unBase64, buffer1,bufferLength, aeskeyDec, iv1, AES_DECRYPT); //AES_cbc_encrypt(unBase64, buffer1, strlen(unBase64), aeskeyDec, iv1, AES_DECRYPT); printf(Decrypted data: %s \n,buffer1); return(0); } -- Karim Bendadda
Re: Update: !!! [AEC CBC decryption] Decrypted data Length problem (AES_cbc_encrypt)...
On Mon May 19 2008 09:35, karim Bendadda wrote: *Sorry for the first mail!!* Unless you can guarantee that the strings do not contain embedded zeros; strlen() will not give the expected results. Mike Hi all, I'm new on openssl development, so I'm sorry if that a beginner's question . I'm trying to decrypt a *base64 AES CBC* encrypted data (using the *AES_cbc_encrypt*). The base64 encoding/decoding works fine. the code below works depending on data length: - The example with : data =*This is a long very long test* works fine, I have the good decrypted data. - The second one *This is a test* doesn't work... I read somewhere that's depending of data padding... Have you any idea?? .. int main(int argc, char *argv[]) { unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char iv1[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char* data =This is a test; //unsigned char* data =This is a long very long test; unsigned char* buffer = (char *) malloc(60); unsigned char* buffer1 = (char *) malloc(60); unsigned long bufferLength= (ceil(strlen(data)/16)+1)*16; AES_KEY aeskeyEnc, aeskeyDec; AES_set_encrypt_key (key, KeyLength*8, aeskeyEnc); AES_set_decrypt_key (key, KeyLength*8, aeskeyDec); /*Encrypting...*/ AES_cbc_encrypt(data, buffer, bufferLength, aeskeyEnc, iv, AES_ENCRYPT); //AES_cbc_encrypt(data, buffer, strlen(data), aeskeyEnc, iv, AES_ENCRYPT); printf(Encrypted data: %s\n,buffer); /*To Base64 encrypted data */ char *base64Buffer = base64(buffer, strlen(buffer)); printf(Base64 Encrypted data: %s\n,base64Buffer); /* Unbase64 of encrypted data*/ char* test_1 = strcat(base64Buffer,\n\0); char* unBase64 = unbase64(base64Buffer, strlen(base64Buffer)); /*Decypting unBase64...*/ AES_cbc_encrypt(unBase64, buffer1,bufferLength, aeskeyDec, iv1, AES_DECRYPT); //AES_cbc_encrypt(unBase64, buffer1, strlen(unBase64), aeskeyDec, iv1, AES_DECRYPT); printf(Decrypted data: %s \n,buffer1); return(0); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Usage of STACK_OF(X509)
Hi everybody, I try to verify a small X509 chain: ca.pem (self signed) - client.pem On the commandline I do: cat ca.pem client.pem all.pem and openssl verify -CAfile ca.pem all.pem (or similar, cannot remember the exact syntax, but that works like this) In my little C program, I don't want to do a cat (or store everything in one file). I open ca.pem and client.pem. In order to verify client.pem, I think I have to create a STACK_OF(X509) to store both in a chain. The following code worked for all.pem and without STACK_OF(X509), but using different files (that means ca.pem AND client.pem) and STACK_OF(X509) does not work. I also tried to push cert and ca in the different order, but that didn't help. Does anybody see the small error I made? Any hints are appreciated! Thanks a lot in advance Carolin int verify_valid_chain(X509 *cert,X509 *ca) { X509_STORE *store; X509_LOOKUP *lookup; X509_STORE_CTX *verify_ctx; STACK_OF(X509) *st=sk_X509_new_null(); sk_X509_push(st,cert); sk_X509_push(st,ca); if(!(store=X509_STORE_new())) int_error(Error creating X509_STORE_CTX object); if(X509_STORE_load_locations(store,SOME_CA,NULL)!=1) int_error(Error loading the CA file); if(X509_STORE_set_default_paths(store)!=1) int_error(Error loading the system-wide CAs); if(!(lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file( int_error(Error creating X509_LOOKUP object); if(!(verify_ctx = X509_STORE_CTX_new())) int_error(Error creating X509_STORE_CTX object); if(X509_STORE_CTX_init(verify_ctx,store,cert,st)!=1) int_error(Error initializing verification context); if(X509_verify_cert(verify_ctx) !=1) { int err; int_error(Error verifying the certificate); err=X509_STORE_CTX_get_error(verify_ctx); printf(ERROR: %s\n,X509_verify_cert_error_string(err)); sk_X509_free(st); return -1; } else { printf(Certificate verified correctly!\n); sk_X509_free(st); return 0; } } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
X509_LOOKUP_by_subject
Hi *, i am programming a networkapplication that uses X509 Certs. On each peer there is a directory, that contains the CA and all peer certs. I also used c_rehash on that directory. The application should now be able to retrieve a X509 from that directory, with a given commonName. I tried the following, but the code is not able to retrieve a cert (only segfaults). Am i totally wrong or is there a chance to get this running? (Error checking etc. removed...) struct entry { char *key; char *value; }; struct entry entries[ENTRY_COUNT] = { {countryName, DE }, {stateOrProvinceName, Germany }, {localityName,MyTown}, {organizationName,MyCompany}, {commonName,server-common-name-string}, }; X509_NAME * get_X509_Name(const char *cn) { X509_NAME *subj; int nid; X509_NAME_ENTRY *ent; int i; subj = X509_NAME_new(); for(i=0;i ENTRY_COUNT;i++) { int nid; X509_NAME_ENTRY *ent; nid = OBJ_txt2nid(entries[i].key)) == NID_undef ent = X509_NAME_ENTRY_create_by_NID(NULL,nid,MBSTRING_ASC,entries[i].value,-1); X509_NAME_add_entry(subj, ent, -1,0) != 1); } return subj; } X509 * get_CERT_by_cn(const char *cn) { X509_OBJECT *obj; X509_NAME *subj; subj = get_X509_Name(cn); X509_LOOKUP *lookup; lookup = X509_LOOKUP_new(X509_LOOKUP_hash_dir()); X509_LOOKUP_init(lookup); X509_LOOKUP_add_dir(lookup,CADIRNAME,X509_FILETYPE_PEM); int i = X509_LOOKUP_by_subject(lookup,X509_LU_X509,subj,obj); /*X509_LOOKUP_by_subject returns segfaults...*/ return obj-data.x509; } Volker __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Update: !!! [AEC CBC decryption] Decrypted data Length problem (AES_cbc_encrypt)...
Thank you for your quick answer! I see what you mean... that's the problem: How can I guarantee this?? I will receive an encrypted data, I have the key and the vector. How can I decrypted the data ?? Thanks! On Mon, May 19, 2008 at 4:53 PM, Michael S. Zick [EMAIL PROTECTED] wrote: On Mon May 19 2008 09:35, karim Bendadda wrote: *Sorry for the first mail!!* Unless you can guarantee that the strings do not contain embedded zeros; strlen() will not give the expected results. Mike Hi all, I'm new on openssl development, so I'm sorry if that a beginner's question . I'm trying to decrypt a *base64 AES CBC* encrypted data (using the *AES_cbc_encrypt*). The base64 encoding/decoding works fine. the code below works depending on data length: - The example with : data =*This is a long very long test* works fine, I have the good decrypted data. - The second one *This is a test* doesn't work... I read somewhere that's depending of data padding... Have you any idea?? .. int main(int argc, char *argv[]) { unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char iv1[] = {0,1,2,3,4,5,6,7,8,9,0,'a','b','c','d','e'}; unsigned char* data =This is a test; //unsigned char* data =This is a long very long test; unsigned char* buffer = (char *) malloc(60); unsigned char* buffer1 = (char *) malloc(60); unsigned long bufferLength= (ceil(strlen(data)/16)+1)*16; AES_KEY aeskeyEnc, aeskeyDec; AES_set_encrypt_key (key, KeyLength*8, aeskeyEnc); AES_set_decrypt_key (key, KeyLength*8, aeskeyDec); /*Encrypting...*/ AES_cbc_encrypt(data, buffer, bufferLength, aeskeyEnc, iv, AES_ENCRYPT); //AES_cbc_encrypt(data, buffer, strlen(data), aeskeyEnc, iv, AES_ENCRYPT); printf(Encrypted data: %s\n,buffer); /*To Base64 encrypted data */ char *base64Buffer = base64(buffer, strlen(buffer)); printf(Base64 Encrypted data: %s\n,base64Buffer); /* Unbase64 of encrypted data*/ char* test_1 = strcat(base64Buffer,\n\0); char* unBase64 = unbase64(base64Buffer, strlen(base64Buffer)); /*Decypting unBase64...*/ AES_cbc_encrypt(unBase64, buffer1,bufferLength, aeskeyDec, iv1, AES_DECRYPT); //AES_cbc_encrypt(unBase64, buffer1, strlen(unBase64), aeskeyDec, iv1, AES_DECRYPT); printf(Decrypted data: %s \n,buffer1); return(0); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Karim
X509_verify_cert without CA certificate
Dear OpenSSL team, First, thanks for reading this. I try to verify a certificate with the function X509_verify_cert which works well when I provide a STACK_OF(X509) with one or more CA certificate. But when I try to verify a single certificate (not self-signed but CA signed) without providing any CA certificate, I get X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY which is normal. I'd still like to use this function to verify a single certificate because I do not only want to verify a signature (as X509_verify does) but I also want to check other things (attributes, time...) that X509_verify_cert verifies (X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD or X509_V_ERR_CERT_NOT_YET_VALID etc...) In order to bypass the error mentioned above, I tried to set my own verify callback function with X509_STORE_set_verify_cb_func and catch the case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY which worked, but also bypassed among other things the time verificate of the certificate (It seems the verification process doesn't go any further after my callback function returns 1). At last, I tried to address the root cause of this *problem* by overwriting the X509_STORE internal check_issued function and this worked great. Here is how the code would look like: int my_check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { return 1; } int blablabla() { X509_STORE *store = X509_STORE_new(); X509_STORE_CTX ctx; [...] store-check_issued=my_check_issued; [...] if (X509_verify_cert(ctx)=0) { [...] Is this acceptable from a security perspective, or am I doing something terribly wrong by doing this ? Also: Am I using a wrong approach of the things ? Is there any much easier way to check an single X509 certificate I am not aware of ? Thank you very much for your time and support, Valéry. ___ EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509_verify_cert without CA certificate
Hi again, sorry, it doesn't work, I am kind of tired and wrote to fast ;) I get an X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error, which is normal. Best regards. -Ursprüngliche Nachricht- Von: openssl-users@openssl.org Gesendet: 19.05.08 18:50:56 An: openssl-users@openssl.org Betreff: X509_verify_cert without CA certificate Dear OpenSSL team, First, thanks for reading this. I try to verify a certificate with the function X509_verify_cert which works well when I provide a STACK_OF(X509) with one or more CA certificate. But when I try to verify a single certificate (not self-signed but CA signed) without providing any CA certificate, I get X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY which is normal. I'd still like to use this function to verify a single certificate because I do not only want to verify a signature (as X509_verify does) but I also want to check other things (attributes, time...) that X509_verify_cert verifies (X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD or X509_V_ERR_CERT_NOT_YET_VALID etc...) In order to bypass the error mentioned above, I tried to set my own verify callback function with X509_STORE_set_verify_cb_func and catch the case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY which worked, but also bypassed among other things the time verificate of the certificate (It seems the verification process doesn't go any further after my callback function returns 1). At last, I tried to address the root cause of this *problem* by overwriting the X509_STORE internal check_issued function and this worked great. Here is how the code would look like: int my_check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { return 1; } int blablabla() { X509_STORE *store = X509_STORE_new(); X509_STORE_CTXctx; [...] store-check_issued=my_check_issued; [...] if (X509_verify_cert(ctx)=0) { [...] Is this acceptable from a security perspective, or am I doing something terribly wrong by doing this ? Also: Am I using a wrong approach of the things ? Is there any much easier way to check an single X509 certificate I am not aware of ? Thank you very much for your time and support, Valéry. ___ EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Bis 50 MB Dateianhänge? Kein Problem! http://freemail.web.de/club/landingpage.htm/?mc=025556 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]