Net::SSLeay nonblocking sockets and timeouts
Hi, I'm using the Net::SSLeay perl module to connect to a site over HTTPS and which also implements certificates. I was originally using 'post_https()' and got that to work - though I did have to fix it's prototype in SSLeay.pm. However, as far as I can gather this doesn't use nonblocking sockets. So I've started writing it using the lower level API, and have tried to implement nonblocking sockets. However, I don't think I've done it correctly. If someone could glance over this code and let me know where I;ve gone wrong, that would be most helpful. Note the code below works fine when I don't try to make the socket nonblocking, and it also contains a lot more error checking than pasted here! Thanks, Stella my $sin = sockaddr_in($port, $dest_ip); my $proto = getprotobyname('tcp'); if (socket (SSLCAT_S, PF_INET, SOCK_STREAM, $proto)) { if (CORE::connect (SSLCAT_S, $sin)) { my $old_out = select (SSLCAT_S); $| = 1; select ($old_out); $flags = fcntl(SSLCAT_S, F_GETFL, 0); fcntl(SSLCAT_S, F_SETFL, $flags | O_NONBLOCK); $got = 1; } } else { close SSLCAT_S; return undef; } Net::SSLeay::load_error_strings(); Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::randomize(); my $ctx = Net::SSLeay::CTX_new(); Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL); Net::SSLeay::set_cert_and_key($ctx, $self-{_cert}, $self-{_key}); my $ssl = Net::SSLeay::new($ctx); Net::SSLeay::set_fd($ssl, fileno(SSLCAT_S)); $got = Net::SSLeay::connect($ssl); my $server_cert = Net::SSLeay::get_peer_certificate($ssl); my($written, $errs) = Net::SSLeay::ssl_write_all($ssl, $request); ($got, $errs) = Net::SSLeay::ssl_read_all($ssl); Net::SSLeay::X509_free($server_cert) if defined $server_cert; Net::SSLeay::free($ssl); Net::SSLeay::CTX_free($ctx); close SSLCAT_S; __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: client certificates and Net::SSLeay
ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was unable to deal with. Having fixed that, I am now getting error 140890B2 : SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned on the server side. and error: 14094418 : SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca on the client side. Looking at the Net::SSLeay module, it seems to fail on the 'get_peer_certificate' line. I'm presuming that it has a list of known CA's somewhere, and hence there must be some way of adding another CA to it. Does anyone know if there is a function to do this? is it Net::SSLeay::CTX_set_client_CA_list() by any chance? I can't seem to find any examples for this, could someone point me in the right direction? thanks Lutz for letting me know about the 'openssl errstr' command by the way, it's quite useful! Thanks, Stella On Wed, Nov 12, 2003 at 12:51:58PM +0100, Lutz Jaenicke wrote: On Wed, Nov 12, 2003 at 10:53:58AM +, Stella Power wrote: I was wondering if anyone on this list could help me. I'm trying to use the post_https() function in Net::SSLeay to post to a website that needs a valid client certificate. ... However, the server fails to validate my cert. I'm not sure if it is the module or my actual cert which is wrong. I then used the path to newcert.pem for $cert_path above, and the path to newreq.pem as the $key_path above (post_https() line). I get the following errors in /var/log/httpd/error_log mod_ssl: SSL handshake failed (server renegade.dev.ie.alphyra.com:443, client 192.168.1.146) (OpenSSL library error follows) [error] OpenSSL: error:140890C7:lib(20):func(137):reason(199) [EMAIL PROTECTED]:~/cc/openssl-0.9.7-stable/ssl$ openssl errstr 140890C7 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Your client does not send a certificate, even though requested. So the problem is on the client side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: client certificates and Net::SSLeay
ok never mind, got it working. My server certificate had expired. Thanks for all your help. Stella On Wed, Nov 12, 2003 at 01:23:15PM +, Stella Power wrote: ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was unable to deal with. Having fixed that, I am now getting error 140890B2 : SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned on the server side. and error: 14094418 : SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca on the client side. Looking at the Net::SSLeay module, it seems to fail on the 'get_peer_certificate' line. I'm presuming that it has a list of known CA's somewhere, and hence there must be some way of adding another CA to it. Does anyone know if there is a function to do this? is it Net::SSLeay::CTX_set_client_CA_list() by any chance? I can't seem to find any examples for this, could someone point me in the right direction? thanks Lutz for letting me know about the 'openssl errstr' command by the way, it's quite useful! Thanks, Stella On Wed, Nov 12, 2003 at 12:51:58PM +0100, Lutz Jaenicke wrote: On Wed, Nov 12, 2003 at 10:53:58AM +, Stella Power wrote: I was wondering if anyone on this list could help me. I'm trying to use the post_https() function in Net::SSLeay to post to a website that needs a valid client certificate. ... However, the server fails to validate my cert. I'm not sure if it is the module or my actual cert which is wrong. I then used the path to newcert.pem for $cert_path above, and the path to newreq.pem as the $key_path above (post_https() line). I get the following errors in /var/log/httpd/error_log mod_ssl: SSL handshake failed (server renegade.dev.ie.alphyra.com:443, client 192.168.1.146) (OpenSSL library error follows) [error] OpenSSL: error:140890C7:lib(20):func(137):reason(199) [EMAIL PROTECTED]:~/cc/openssl-0.9.7-stable/ssl$ openssl errstr 140890C7 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Your client does not send a certificate, even though requested. So the problem is on the client side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
3DES ECB
Hi, I was wondering if someone could clarify this for me. I'm trying to decrypt a string which has been encrypted in 3DES ECB mode. I'm using the command line utility and a program I have written to do this. According to the EVP_EncryptInit.html, I should use the cipher EVP_des_ede3(). However in the command line utility I don't see any 3DES ECB cipher. According to the 'enc' man page the cipher 'des-ede3' is an alias for 'des-ede3-cbc'. Are both of these correct? If so, shouldn't there be a standard naming convention for these ciphers? and how do I encrypt/decrypt a string in 3DES EC mode using the command line utility? Thanks, Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EVP_CipherFinal()
okidokey, the code is attached. The encryption/decryption function is in do_crypt.c thanks Stella On Mon, May 27, 2002 at 06:03:46PM +0200, Aleix Conchillo wrote: hi stella, could you please post your sample code? best regards, aleix __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] OPENSSLDIR=/usr/local/ssl LIBS = -lm -L$(OPENSSLDIR) -lssl -lcrypto -lefence oflags = -c CFLAGS = -pedantic -ansi -W -Wall -g CC = gcc exec = crypt default: main.o do_crypt.o parse_keyfile.o $(CC) -o ${exec} main.o do_crypt.o parse_keyfile.o -o crypt ${LIBS} main.o: main.c do_crypt.c parse_keyfile.c header.h ${CC} -c ${CFLAGS} ${INCDIR} main.c do_crypt.c parse_keyfile.c clean: rm -f core *.o #include header.h #define EVP_MAX_BLOCK_LENGTH 6 FILE *out; char* do_crypt(char *i_p, int docrypt) { unsigned char outbuf[1024+EVP_MAX_BLOCK_LENGTH]; unsigned char outbuf_final[1024]; int outlen, inlen; unsigned char iv[] = 12345678; EVP_CIPHER_CTX ctx; inlen = strlen(i_p); EVP_CIPHER_CTX_init(ctx); EVP_CipherInit(ctx, EVP_des_ede3(), NULL, NULL, docrypt); EVP_CIPHER_CTX_set_key_length(ctx, key_length); EVP_CipherInit(ctx, NULL, key, iv, docrypt); if(!EVP_CipherUpdate(ctx, outbuf, outlen, (unsigned char *)i_p, inlen)) { fprintf(stderr, Error crypting in EVP_CipherUpdate\n); exit(10); } if(!EVP_CipherFinal(ctx, outbuf_final, outlen)) { fprintf(stderr, Error crypting in EVP_CipherFinal\n); exit(11); } sprintf(return_out,%s%s, outbuf, outbuf_final); fwrite(return_out,1,outlen, stdout); fwrite(\n,1,1,stdout); EVP_CIPHER_CTX_cleanup(ctx); return return_out; } #include stdio.h #include stdlib.h #include string.h #include getopt.h #include sys/syslog.h #include sys/stat.h #include errno.h #include unistd.h #include fcntl.h #include sys/mman.h #include sys/types.h #include openssl/des.h #include openssl/evp.h #include openssl/sha.h #define BUFSIZE 1024 struct stat tmp; int f_map_encrypt_p; FILE *f_session_key_p; char *session_key_filename; char *current_line; char *edata_a, *edata_b; char *data_a, *data_b; int docrypt; int key_length; char *session_key; unsigned char key[BUFSIZE]; char *return_out; char* parse_keyfile(char *current_line); char* do_crypt(char *i_p, int docrypt); key : 64556564446546465546546444555665 #include header.h int main(int argc, char** argv) { int opt, i=0, j=0; char *temp2; /* COMMAND LINE OPTION HANDLING */ while((opt = getopt(argc, argv, k:a:b:))!=-1) switch (opt) { case 'k': if(optarg) { session_key_filename = malloc(64); strncpy(session_key_filename, optarg, 64); if((stat(optarg, tmp)!=0)) { fprintf(stderr,Error: Illegal filename for keyfile\n); exit(1); } } break; case 'a': if(optarg) { edata_a = malloc(64); strncpy(edata_a, optarg, 64); } break; case 'b': if(optarg) { edata_b = malloc(64); strncpy(edata_b, optarg, 64); } break; case '?': default: printf(Usage: -k session_key_file\n); exit(2); } printf(0: %s\t1: %s\n, edata_a, edata_b); if (!session_key_filename) { fprintf(stderr, Error: Missing option -k\n); printf(Usage: -k session_key_file\n); exit(4); } if((return_out =(char *)malloc((BUFSIZE)*sizeof(char)))==NULL) { fprintf(stderr, Error: malloc error\n); exit(8); } /* IN HERE GOES DECRYPTION OF PINS */ if((current_line =(char *)malloc(BUFSIZE*sizeof(char)))==NULL) { fprintf(stderr, Error: malloc error\n); exit(8); }
SHA1
Hi, I'm having problems with SHA1() and I'm hoping some of you might be able to help me out. I want to calculate the sha1 checksum of a file which i have mapped into memory (char *mapped_encrypted_file;). I use strlen on that to get its length (unsigned long maplength;). I also malloc space for my md (unsigned char *md;) as follows: md = (unsigned char*)malloc(BUFSIZE*sizeof(unsigned char)); and call SHA1() by: SHA1((const unsigned char*)mapped_encrypted_file, maplength, md); However whenever I print md I just get weird characters - non-alphanumeric characters, $/\[ and other letters with accents. Is there something I'm doing wrong? Thanks Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
3DES decrytpion
hi, I'm trying to use the crypto library to decrypt a file which has been encrypted using triple-DES. I have the following declarations: char *temp; char **elines; des_cblock *input; I have a function which parses the file and grabs the encrypted strings temp = parse_file(mapped_file); I then set elines[i] = temp; However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared as des_cblock. Is there any way of casting it, passing it, some way of passing the data returned by the parse_file() function to des_ecb3_encrypt()? Also, am I right in thinking that des_cblock being defined the way it is , that you can only decrypt in batches of 8 characters?? Thanks! Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 3DES decrytpion
I'm afraid that I couldn't find any examples on how to use the EVP functions, and still do not know how I would go about implementing it. The only restriction I have on my code is that the encrypted input file is 3DES ECB encrypted. Stella On Wed, May 01, 2002 at 09:03:42AM -0700, Aleksey Sanin wrote: Do you have any reason to do not use EVP_Cipher*() functions instead of low-level des_ecb3_encrypt()? EVP functions provide very good abstraction layer and hide many algorithm specific details. Aleksey Sanin. Stella Power wrote: hi, I'm trying to use the crypto library to decrypt a file which has been encrypted using triple-DES. I have the following declarations: char *temp; char **elines; des_cblock *input; I have a function which parses the file and grabs the encrypted strings temp = parse_file(mapped_file); I then set elines[i] = temp; However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared as des_cblock. Is there any way of casting it, passing it, some way of passing the data returned by the parse_file() function to des_ecb3_encrypt()? Also, am I right in thinking that des_cblock being defined the way it is , that you can only decrypt in batches of 8 characters?? Thanks! Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]