Re: Certificate validation problem

2008-10-10 Thread Gerhard Gappmeier
Thanks Dave,

today I rechecked the dump of the certificates which cause the problem.
The AUTHORITY_KEYID was really missing in them.
They were created using some MS .Net stuff.
My certificates which I create with openssl work fine.

I told the guy who created the wrong certificates about the missing field.
In our protocol this field is mandatory because our commonNames are not always 
unique.

On Friday 10 October 2008 02:03:44 Dave Thompson wrote:
  -Original Message-
  From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier
  Sent: Wednesday, 08 October, 2008 08:14
 
  I've a problem with validating self-signed certificates.
 
  In my use case it's possible (but unlikely) to have multiple self-signed
  certificates with the same commonName.

 More to the point, they are root CA certs -- selfsigned, AND used to sign
 child certs. Your problem is with child linkage, not selfsigned as such.

  In the used protocol the URI field in subjectAltName fulfills the
  purpose of distinguishing the application instances.

 That appears to be irrelevant.

  When validating a certificate using X509_verify_cert it seems that
  OpenSSL finds the wrong certificate in the store
  due to the same commonName and then the validation fails.
 
  As far as I understood the code - but I'm not sure - the problem is,
  that X509_check_issued() that is called indirectly by
  find_issuer() doesn't check the certificate serial number when searching
  for the issuer certificate
  and only looks for the commonName.
  This happens because no AUTHORITY_KEYID (subject-akid) is available in
  the subject structure. (why?)
  See the screenshot for details.

 Your screenshot came out totally illegible, at least for me.

 AKID is an optional extension, with several optional subformats.
 Do you have a copy (e.g. in a file) of the cert you want to validate
 i.e. the subject=child cert? If so, check the extension is present,
 and has (child.)AKID.keyid = parent.subjkeyid
 and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) .

 How did you obtain, or create, the child cert? (Commercial CA,
 inhouse CA, openssl CA.pl, openssl commandline, etc.)

  The certificate of course has a serial number so I want this to be
  checked when looking up a certificate in the store.

 Which cert? When you want to look up the parent you need attributes
 of the parent, not the child.  If you want to look up the parent
 by issuer+serial (serial alone is not enough) (although in this case
 parent is selfsigned so its issuer and subject are the same),
 use child.AKID.(issuer+serial) as above.



 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]



Issue getting enough entropy on Windows NT 4.0 system

2008-10-10 Thread Ray Casterline

Hello,

The Windows NT 4.0 system has the workstation service stopped.

This causes the following snippet from rand_win.c to return 0

if (netstatget(NULL, LLanmanWorkstation, 0, 0,
outbuf) == 0)
{
RAND_add(outbuf, sizeof(STAT_WORKSTATION_0),
45);
netfree(outbuf);
}

Add to this a large section of calls are #if 0 out due to a reported
problem
by Wolfgang Marczy and there isn't many places this function gets
entropy
from.

Any suggestions?

Thanks,
Ray Casterline
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: non-blocking version of SSL_peek

2008-10-10 Thread vne



David Schwartz wrote:
 
 
 Hi,
 Can anyone tell me if SSL_peek is a blocking or non-blocking call ?
 
 It can be either.
 
 When I use it inside my code, then the program blocks on this fuction
 call
 where there is no data on the socket.
 
 If you're using blocking socket calls, that's what will happen.
 vne
 Yes you are right. I made the socket non-blocking and then SSL_peek
 returned when there is no data.
 /vne
 
 The reason I want to use this call is that before closing the SSL
 connection
 by using 'SSL_shutdown', I want to make sure that there is no pending
 data
 present on this connection.
 
 SSL_peek won't help. You need to call SSL_shutdown first and then check
 for
 any pending data. No matter when and how you call SSL_peek, there will
 still
 be a point before you call SSL_shutdown and after you call SSL_peek.
 
 If your protocol requires you to do this, the protocol is broken and
 really
 should be fixed. If it doesn't, why do this?
 vne
 Actually before closing a TLS connection I need to make sure that no
 pending data is present on the that socket. So, calling SSL_peek would
 tell if this is the case or not. 
 
 As you are saying that SSL_peek should be called before SSL_shutdown, then
 how is it ensured that the connection gets closed only if all the data
 arrived on that socket is processed ? Does SSL_shutdown takes care of this
 ? or what is the significance of calling SSL_peek after SSL_shutdown ?
 
 I am using SIP over TLS and it does not specify any such thing related to
 tls.
 
 thanks !!!
 /vne
 
 Is there any method to make the call SSL_peek non-blocking,i.e. it should
 return if there is no data present on SSL connection like that
 happens with
 tcp peek by using option MSG_PEEK|MSG_DONTWAIT.
 
 Or can SSL_pending be used for this purpose?
 Please suggest...
 
 I am using openSSL version 0.9.7b.
 
 What is your outer problem? Why do you think you need to do this? What
 protocol are you implementing over SSL?
 
 DS
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]
 
 

-- 
View this message in context: 
http://www.nabble.com/non-blocking-version-of-SSL_peek-tp19876548p19917760.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Valid certificate reported as expired

2008-10-10 Thread Andrej Podzimek

Have you enabled CRL checking too? You can also get that if the nextUpdate
time in a CRL has passed. That might explain things if the CRL runs for a
month or so.


WOW! That's it! Thank you so much!

CRL expired exactly the day it stopped working. I did not know that a CRL could 
expire. Never explored it with openssl crl -text ... before. Now I know it has 
those two dates, just like a certificate. Added CRL updates to cron tables on 
the server and all the clients.

I would like to apologize for all the mess around this issue. This was simply 
my mistake. (However, it would be nice if the error message said 'CRL expired' 
instead of 'certificate expired'. Had I seen 'CRL' in the message, I would have 
checked that first.)

Once more many thanks for your advice. My db connection works again.

Andrej

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


[FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

2008-10-10 Thread Lutz Jaenicke
Forwarded to openssl-users for public discussion.

Best regards,
Lutz
- Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL 
PROTECTED] -

Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
Date: Fri, 10 Oct 2008 15:00:51 +0200
Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

Dear OpenSSL experts,
 
I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on
Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
help me with bad gethostbyaddr error message while doing SSL
handshake? Log is given below:
 
 
D:\OpenSSL2\binopenssl
OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
verify depth is 2
Enter pass phrase for D:\my_key.pem: my_pass_phrase
Loading 'screen' into random state - done
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
bad gethostbyaddr
SSL_accept:before/accept initialization
read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0))
SSL_accept:failed in SSLv3 read client hello B
ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
bad gethostbyaddr
SSL_accept:before/accept initialization
read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0))
SSL_accept:failed in SSLv3 read client hello B
ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
bad gethostbyaddr
 
 
Thanks  Regards, 
Byju Joy 
+91-9902511344, +91-80-67245657, *7098068
 

- End forwarded message -
--
Lutz Jaenicke   [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~jaenicke/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: Issue getting enough entropy on Windows NT 4.0 system

2008-10-10 Thread David Schwartz

 Hello,
 
 The Windows NT 4.0 system has the workstation service stopped.
 
 This causes the following snippet from rand_win.c to return 0
 
   if (netstatget(NULL, LLanmanWorkstation, 0, 0,
 outbuf) == 0)
   {
   RAND_add(outbuf, sizeof(STAT_WORKSTATION_0),
 45);
   netfree(outbuf);
   }
 
 Add to this a large section of calls are #if 0 out due to a reported
 problem
 by Wolfgang Marczy and there isn't many places this function gets
 entropy
 from.
 
 Any suggestions?

Why not grab some entropy from the system entropy provider?

#include wincrypt.h
bool GetSysEntropy(void *ptr, int len)
{
 char namebuf[512];
 HCRYPTPROV handle;
 DWORD count=500;

 if(!CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_MACHINE_DEFAULT,
  namebuf, count)) return false;

 if(!CryptAcquireContext(handle, NULL, namebuf, PROV_RSA_FULL,
  CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) return false;

 if(!CrytpGenRandom(handle, len (BYTE *) ptr))
 {
  CryptReleaseContext(handle, 0);
  return false;
 }

 CryptReleaseContext(handle, 0);
 return true;
}

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: FIPS fail

2008-10-10 Thread Dr. Stephen Henson
On Fri, Oct 10, 2008, joshi chandran wrote:

 Hi All,
 
 Can any body give me small program which set in fips mode and uses non fips
 algorithm ,hence  fails while running .
 

Well the standard OpenSSL utility will do that e.g.

OPENSSL_FIPS=1 openssl md5 somefile

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: FIPS fail

2008-10-10 Thread joshi chandran
Hi All,

Can any body give me small program which set in fips mode and uses non fips
algorithm ,hence  fails while running .

Thanks
Joshi

On Thu, Oct 9, 2008 at 5:13 PM, Steve Marquess
[EMAIL PROTECTED]wrote:

 Kyle Hamilton wrote:

 Okay.  Let's see if I can piece together everything I've learned about
 the FIPS experience so far...

 FIPS-1.1.2 only generates a static fipscanister, which can only be
 used to generate a static library.  (except on Windows, where it can
 be built into a shared library.)


 The fipscanister.o for v1.1.2 is generated with position independent code
 or not depending on the default build options borrowed from the 0.9.7
 baseline at the time.  On Windows it happens that position independent code
 is generated automatically, hence that object module can be incorporated in
 shared code.  On Linux and some other platforms that isn't the case.

 Note we were originally going to test both shared and non-shared builds,
 but ran out of money for the test lab fees (each such platform variation
 drives up the price).

 For v1.2 we decided to just force position independent code generation
 universally.

  ...

 FIPS-1.1.2 is the most recent validated fipscanister.  1.2.0 is
 currently submitted for review, but there is no timeframe (other than
 'it could take until the end of the next ice age') for its validation.


 The latest info I've heard is that there is a new reviewer (new hire) who
 has decided to revisit the entire history of the original validation from
 the beginning, i.e. effectively second guessing the CMVP reviewers of those
 prior validations.  That first validation took five years, an Internet ice
 age indeed.

  If you want to test the functionality of FIPS-1.2.0, you need to
 download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from
 the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz
 from the same location.

 If you want a currently-validated solution, you need
 openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz.

 Anyone got any comments on whether I've gotten this right?


 You did.

 -Steve M.

 --
 Steve Marquess
 Open Source Software Institute
 [EMAIL PROTECTED]


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]




-- 
Regards
Joshi Chandran


RE: RE: Issue getting enough entropy on Windows NT 4.0 system

2008-10-10 Thread Ray Casterline

Thanks for the suggestionb but the RAND_poll function already
pulls from the system right after the big #if 0 block as described
below in the stetup for the calls.

if (advapi)
{
/*
 * If it's available, then it's available in both ANSI
 * and UNICODE flavors even in Win9x, documentation
says.
 * We favor Unicode...
 */
acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi,
CryptAcquireContextW);
gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
CryptGenRandom);
release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
CryptReleaseContext);
}

So, still looking for other suggestions.

I also tried finding an EGD for Win NT 4.0 and the only one that looked
promising was EGADS which is no longer available.

Thanks Again for any suggestions,
Ray


 Hello,
 Why not grab some entropy from the system entropy provider?

 #include wincrypt.h
 bool GetSysEntropy(void *ptr, int len)
 {
  char namebuf[512];
  HCRYPTPROV handle;
  DWORD count=500;
 
  if(!CryptGetDefaultProvider(PROV_RSA_FULL, NULL,
CRYPT_MACHINE_DEFAULT,
   namebuf, count)) return false;
 
  if(!CryptAcquireContext(handle, NULL, namebuf, PROV_RSA_FULL,
   CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) return false;
 
  if(!CrytpGenRandom(handle, len (BYTE *) ptr))
  {
   CryptReleaseContext(handle, 0);
   return false;
  }
 
  CryptReleaseContext(handle, 0);
  return true;
 }
 
   DS
 
  
  The Windows NT 4.0 system has the workstation service stopped.
  
  This causes the following snippet from rand_win.c to return 0
  
  if (netstatget(NULL, LLanmanWorkstation, 0, 0,
  outbuf) == 0)
  {
  RAND_add(outbuf, sizeof(STAT_WORKSTATION_0),
  45);
  netfree(outbuf);
  }
  
  Add to this a large section of calls are #if 0 out due to a reported
  problem
  by Wolfgang Marczy and there isn't many places this function gets
  entropy
  from.
  
  Any suggestions?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: non-blocking version of SSL_peek

2008-10-10 Thread David Schwartz

 Actually before closing a TLS connection I need to make sure that no
 pending data is present on the that socket. So, calling SSL_peek would
 tell if this is the case or not.

No, it won't. Okay, you call SSL_peek, and there's no pending data.

Now, you're about to call SSL_shutdown. How do you know there's no pending
data *NOW*? Just because there wasn't before, it doesn't mean there isn't
now.

The only way to know that there's no pending data when you call SSL_shutdown
is for the protocol you are implementing to ensure that. Otherwise, you will
always have a race.

 As you are saying that SSL_peek should be called before
 SSL_shutdown,

No, there's no point. If you didn't know there was no data before SSL_peek,
you still won't know there's no data *now* after.

 then how is it ensured that the connection gets closed only if all the
data
 arrived on that socket is processed ? Does SSL_shutdown takes
 care of this
 ? or what is the significance of calling SSL_peek after SSL_shutdown ?

No, the higher-level protocol takes care of this. When a request is
completed, the other end will have nothing more to send. When you finish
replying, what else would the other end send? If there's a keep the
connection in case and close it after a timeout, the protocol handles a
close with pending data smoothly (since there's always a race in a timeout).

 I am using SIP over TLS and it does not specify any such thing
 related to
 tls.

If nobody else knows offhand, I'll do some research into SIP and see how it
handles that case. No sane protocol requires you to race to shutdown and
hope and pray the other end doesn't send some data at the wrong time.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: RE: Issue getting enough entropy on Windows NT 4.0 system

2008-10-10 Thread David Schwartz

 Thanks for the suggestionb but the RAND_poll function already
 pulls from the system right after the big #if 0 block as described
 below in the stetup for the calls.

 if (advapi)
 {
 /*
  * If it's available, then it's available in both ANSI
  * and UNICODE flavors even in Win9x, documentation
 says.
  * We favor Unicode...
  */
 acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi,
 CryptAcquireContextW);
 gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
 CryptGenRandom);
 release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
 CryptReleaseContext);
 }

 So, still looking for other suggestions.

Umm, so what's the problem exactly? Did this fail to get entropy from the
system?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Microsoft Visual C++

2008-10-10 Thread Michael Luich
Hello,
I'm trying to compile in Microsoft Visual C++ Express and I'm getting
linker errors like:

error LNK2019: unresolved external symbol _BIO_gets referenced in function
char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@
@YAPADPADPAU_iobuf@@@Z)

I got the header files all setup, but I can't get the libs working. I
followed the help and copied the lib files to C:\Program Files\Microsoft
Visual Studio 9.0\VC\lib .

Anybody know what i'm missing?

Mike Luich

1-- Build started: Project: sr_trillian_plugin, Configuration: Debug
Win32 --
1Compiling...
1stdafx.cpp
1Compiling...
1sr_trillian_plugin.cpp
1c:\users\mluich\documents\visual studio
2008\projects\sr_trillian_plugin\sr_trillian_plugin\sr_trillian_plugin.cpp(194)
: warning C4129: '%' : unrecognized character escape sequence
1c:\users\mluich\documents\visual studio
2008\projects\sr_trillian_plugin\sr_trillian_plugin\sr_trillian_plugin.cpp(247)
: warning C4129: '%' : unrecognized character escape sequence
1Compiling...
1dllmain.cpp
1Linking...
1   Creating library C:\Users\mluich\Documents\Visual Studio
2008\Projects\sr_trillian_plugin\Debug\sr_trillian_plugin.lib and object
C:\Users\mluich\Documents\Visual Studio
2008\Projects\sr_trillian_plugin\Debug\sr_trillian_plugin.exp
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct
_iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_BIO_ctrl referenced in function char * __cdecl sr_encrypt(char *,struct
_iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_BIO_ctrl_pending referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_SMIME_write_PKCS7 referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_PKCS7_encrypt referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_sk_push referenced in function char * __cdecl sr_encrypt(char *,struct
_iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_PEM_read_X509 referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_BIO_new referenced in function char * __cdecl sr_encrypt(char *,struct
_iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_BIO_s_mem referenced in function char * __cdecl sr_encrypt(char *,struct
_iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_BIO_new_mem_buf referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_RAND_load_file referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_ERR_load_crypto_strings referenced in function char * __cdecl
sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_OPENSSL_add_all_algorithms_noconf referenced in function char * __cdecl
sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_sk_new_null referenced in function char * __cdecl sr_encrypt(char *,struct
_iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_EVP_des_ede3_cbc referenced in function char * __cdecl sr_encrypt(char
*,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z)
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_ERR_error_string referenced in function char * __cdecl sr_decrypt(char
*,char *) (?sr_decrypt@@[EMAIL PROTECTED])
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_ERR_get_error referenced in function char * __cdecl sr_decrypt(char *,char
*) (?sr_decrypt@@[EMAIL PROTECTED])
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_PKCS7_decrypt referenced in function char * __cdecl sr_decrypt(char *,char
*) (?sr_decrypt@@[EMAIL PROTECTED])
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_ERR_print_errors_fp referenced in function char * __cdecl sr_decrypt(char
*,char *) (?sr_decrypt@@[EMAIL PROTECTED])
1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
_SMIME_read_PKCS7 

bug in gost engine

2008-10-10 Thread Евгений
I found a bug in implementation of gost89 algorithm in gost engine of OpenSSL 
library.

I installed openssl-SNAP-20081006.
Simple program shows an error in decryption of buffer encrypted with gost89 
algorithm.

#include openssl/evp.h
#include stdlib.h


static void
print_buffer(void *buffer, int len)
{
u_int i;
u_char *ucp = buffer;

for (i = 0; i  len; i++) {
printf( %02x, ucp[i]);
if (i%16==15)
printf( \r\n );
else if (i%2==1)
printf(   );
}
printf( \r\n );
}

int
main()
{
OPENSSL_config( NULL );
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();

//
//Initialize key and iv
//
u_char iv[512];
u_char key[512];
int i;
for( i = 0; i  sizeof( iv ); i++ )
{
iv[i] = rand();
key[i] = rand();
}
//
//Initialize cipher context for encryption
//
EVP_CIPHER_CTX encCtx;
EVP_CIPHER_CTX_init( encCtx );
if ( EVP_CipherInit( encCtx, EVP_get_cipherbyname( gost89 ), key, 
iv, 
1 ) )
{
//
//Initialize plain text and cipher text buffers
//
char plainText[32] = { 
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 
30, 31 };
printf( plain text :\n );
print_buffer( plainText, 32 );
char cipherText[32] = ;
//
//Encrypt plaint text
//
if ( EVP_Cipher( encCtx, cipherText, plainText, sizeof( 
cipherText ) ) )
{
printf( cipher text :\n );
print_buffer( cipherText, 32 );
//
//Initialize cipher context for decryption
//
EVP_CIPHER_CTX decCtx;
EVP_CIPHER_CTX_init( decCtx );
if ( EVP_CipherInit( decCtx, EVP_get_cipherbyname( 
gost89 ), key, iv, 
0 ) )
{
char decryptedText[32] = ;
//
//Decrypt first 8 byte block of cipher text
//
if ( EVP_Cipher( decCtx, decryptedText, 
cipherText, 8 ) )
{
printf( decrypted text after first 
block decryption :\n );
print_buffer( decryptedText, 32 );
//
//Decrypt rest of cipher text
//
if ( EVP_Cipher( decCtx, decryptedText 
+ 8, cipherText + 8, 24 ) )
{
printf( decrypted text after 
rest blocks decryption :\n );
print_buffer( decryptedText, 32 
);
//
//Compare plain text with decrypted text
//
if( 0 == memcmp( plainText, 
decryptedText, sizeof( decryptedText ) ) )
{   
printf( Success\n );
}
else
{
printf( Error\n );
}
}
}
}
EVP_CIPHER_CTX_cleanup( decCtx );

}


}

EVP_CIPHER_CTX_cleanup( encCtx );
EVP_cleanup();
ERR_free_strings();
CONF_modules_free();
return 0;
}

The output of the program:

plain text :
0001 0203 0405 0607 0809 0a0b 0c0d 0e0f
1011 1213 1415 1617 1819 1a1b 1c1d 1e1f

cipher text :
fa25 cc1e 8c89 5ec1 1939 af98 b105 fc49
6204 1fcb 4586 35cc bdcd d264 80df 2979

decrypted text after first block decryption :
0001 0203 0405 0607    
       

decrypted text after rest blocks decryption :
0001 0203 0405 0607 c51a dd70 0553 dffb
1011 1213 1415 1617 1819 1a1b 1c1d 1e1f

Error

Cipher text is decryted by two parts.
First block size is 8 bytes. The decryption of it is correct.
The size of rest of cipher text is 24 bytes.
The decrypted text is corrupted (first 8 bytes are not correct, other 16 bytes 
are correct ).
If first block size is 16 bytes, then whole decrypted buffer is correct.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr

2008-10-10 Thread Dave Thompson
 -Original Message-
 From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke
 Sent: Friday, 10 October, 2008 09:03
 - Forwarded message from Joy, Byju (GE Healthcare,
 consultant) [EMAIL PROTECTED] -

 Subject: DNS Error while doing SSL handshake - bad gethostbyaddr
 Date: Fri, 10 Oct 2008 15:00:51 +0200
 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr
 thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw==
 From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]

 Dear OpenSSL experts,

 I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on
 Windows Server 2003 Standard Edition Version 5.2.3790. Could you please
 help me with bad gethostbyaddr error message while doing SSL
 handshake? Log is given below:

s_server calls do_server calls do_accept which, after the actual (TCP)
accept,
calls gethostbyaddr to try to get the client host's name. If your
system/network
doesn't have DNS set up to do reverse-mapping for that host, you get this
printed.
(That would include DNS not set up at all, but I don't think Svr03 can do
that.
It could include using a bad/wrong nameserver, or zone; or unreachable/down
one;
or using a good nameserver but the zone admin doesn't do reverse-mapping at
all
-- some don't; or didn't do it for that host -- particularly if it's a
dynamic
host e.g. a(nother) PC many admins don't consider it worth the trouble.)

But it causes no harm; it just passes back a nullptr for the hostname
string,
which the actual logic (sv_body or www_body) never uses. The connection can
still
be completed and used, at least through 0.9.8g and I doubt this would be
changed.
(If you actually want to fix the revlookup, you need to say more about the
type
and relative network location of the client machine, and if it's not
something
simple you'll probably need to go elsewhere to a network-mgt
group/list/forum.)


 D:\OpenSSL2\binopenssl
 OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key
 D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3
 verify depth is 2
 Enter pass phrase for D:\my_key.pem: my_pass_phrase
 Loading 'screen' into random state - done
 Using default temp DH parameters
 Using default temp ECDH parameters
 ACCEPT
 bad gethostbyaddr
 SSL_accept:before/accept initialization
 read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0))
 SSL_accept:failed in SSLv3 read client hello B

This is your actual problem: you are not receiving the client hello.
You appear to be getting a normal TCP shutdown instead i.e. FIN not RST.
This might mean the client deliberately closed; on some system types
it also occurs if the client fails e.g. segfault; it might also occur
if something between you in the network like a firewall dislikes you.

 ERROR
 shutting down SSL
 CONNECTION CLOSED
 ACCEPT


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Microsoft Visual C++

2008-10-10 Thread Thomas J. Hruska

Michael Luich wrote:

Hello,
I'm trying to compile in Microsoft Visual C++ Express and I'm getting
linker errors like:

error LNK2019: unresolved external symbol _BIO_gets referenced in function
char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@
@YAPADPADPAU_iobuf@@@Z)

I got the header files all setup, but I can't get the libs working. I
followed the help and copied the lib files to C:\Program Files\Microsoft
Visual Studio 9.0\VC\lib .

Anybody know what i'm missing?

Mike Luich


You have to add the .lib files to your project's Linker properties.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]