web site with many openssl examples
Hi, I'm looking for complete examples of implementing OpenSSL code - server and client. Can you give a link? Best wishes Peter
Re: Multiple connection from 1 client
Hi, I have a server application, which accepts normal sockets and ssl socket connections. I am trying to make 3 connections to server from 1 client machine, on same server port. When i connect on normal sockets then it works with any number of connections. When i tried to connect SSL then they dont work. If i connect 1 client then it works. In my listen socket, I have SO_REUSEADDR socket option, at first i thought might be this is causing issue, but i tried to use SO_EXCLUSIVEADDRUSE even then it dont work. Has someone seen some issue like this, any possible suggestion for this? Thanks, // Harshvir Hi, Can you show us the source code. Paste it into pastebin.org. Regards
Re: Re: Using OpenSSL with non-blocking I/O
Hi, I am developing and application using OpenSSL. I have a proprietary system to handle connection/read data from sockets. All I need to do is to pass callback functions to the system to 1. Handle new connection 2. Read data on the given port Now while I use OpenSSL, I need to use SSL_connect and SSL_accept to do the handshake. But these calls are blocking and also use the sockets directly. Is there any way to use the library so that it works as a event-based handshake. Actually they aren't blocking and don't use sockets directly. They use a BIO I/O abstraction. Your problem can be resolved by either writing your own BIO or using BIO pairs. See the archives for discussion of these concepts. Steve. -- Hi, Can you show us the source code. Paste it into pastebin.org. Regards
Re: RSA_private_decrypt across processes
I generate an RSA key using RSA_generate_key in one process. I then take the RSA structure that is generated and serialize it and send it to another process via an RPC mechanism. In the other process I then de-serialize the RSA data and use that as input to an RSA_private_decrypt function to decrypt some data that was previously encrypted with the RSA public key. This works fine and I am able to decrypt the data successful, HOWEVER, it takes a long time to do so, like up to 2 seconds. It is almost as if it is doing another key generation in the background. Note that if I do this RSA_private_decrypt in the same process as the one that generated the key, it takes around 20-30 ms. This leads me to think that maybe there is some static data that the openssl library uses in RSA_private_decrypt that was cached when I generated the key and now is not available since it is a new process. Can anyone enlighten me on this? Hi, Let us see the source code to see where is the problem. Paste it into http://pastebin.com/ Regards - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: Problem with HMAC_Init_ex
Hi all, I am finding a strange problem with HMAC_Init_ex. After the call to this function the stack is getting corrupted. The sequence of functions used are- HMAC_CTX ctx ;HMAC_CTX_init(amp;ctx); HMAC_Init_ex(amp;ctx, hash_key-v, hash_key-l, EVP_sha1(), NULL); Key-v points to 20 bytes of memory, while key-l is 20. Are there some necessary pre-requisites to this? Can anyone help? Thanks, Prashant Hi, Let us see the complete source code to see where is the problem. Paste it into http://pastebin.com/ Regards - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: Restricting ciphers list to RSA only in Client Hello
Hi All, I have built an SIP test application using openssl. I am trying to restrict the ciphers sent by this application in Client Hello to those with only RSA key exchange. Is there a way to configure it in OpenSSL? I tried to compile the source code with SSL_DEFAULT_CIPHER_LIST set to RSA:!aNULL:!eNULL:+RC4:@STRENGTH in ssl.h. When I run openssl ciphers -v the ciphers listed are just those with RSA, C:\Openssl_src\openssl-0.9.8f\openssl-0.9.8f\out32dllopenssl.exe ciphers -v AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export but when I build the application using these new libraries the application still sends all the ciphers as shown below Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x35) Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a) Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0) Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) Cipher Spec: TLS_RSA_WITH_IDEA_CBC_SHA (0x07) Cipher Spec: SSL2_IDEA_128_CBC_WITH_MD5 (0x050080) Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080) Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x05) Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x04) Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080) Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x15) Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x12) Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x09) Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040) Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14) Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x11) Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x08) Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x06) Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080) Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x03) Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080) Do I need to do anything else to restrict the cipher list to RSA only? Regards, Gauri Hi, Can you paste here the source code? I would like to see your implementation. Regards - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: SSL_shutdown closesocket
Hi, I am using Blocking sockets for my applicaiton. The server i have accept SSL and non SSL connections, from the client side when i connect with SSL then on closesocket i dont get a notification of client closed, while for non SSL i get notification. Is this some desired behavior or i am missing something? Thanks. // Harshvir Let us have a look at the code. Paste it at http://pastebin.com/ and give us a link. Regards Peter
How to create threaded pool with OpenSSL
Hi, I found OpenSSL server code which uses threds in order to process clients. Is it possible to create connection pool with OpenSSL. There is no information about this on openssl.org How I can add threaded pool to this code? http://pastebin.com/pkDB7fHm Regards
Help me fix this code
Hi, I have a problem with the code below. There is a bug that I can't find and fix. This is the output when I try to run it: [root@localhost test]# ./a.out sdcsdsdcd Entering Encryption Stage: String to encrypt: sdcsdsdcd Encryption Successful Entering Decryption Stage Error Whilst DecryptFinal 19041:error:06065064:lib(6):func(101):reason(100):evp_enc.c:325: Here is the source code: #include #include #include #include #include #define input_buf_size 1024 #define output_buf_size 1032 int main(int argc, char *argv[]) { if (argc !=2) { printf(Usage: test1 \n); exit(1); } char *string; int encoutlen, decoutlen, enctotallen, dectotallen; unsigned char iv[8]; unsigned char password[16]; unsigned char enc_outbuf[output_buf_size]; char enc_inbuf[input_buf_size]; unsigned char dec_outbuf[input_buf_size]; char dec_inbuf[output_buf_size]; EVP_CIPHER_CTX ectx; EVP_CIPHER_CTX dctx; /* * Begin the encode - decode * * Get our inputs and the random IV * */ string = argv[1]; RAND_bytes(iv, 8); RAND_bytes(password, 16); printf(Entering Encryption Stage:\n\n); printf(String to encrypt: %s\n\n, string); EVP_CIPHER_CTX_init(amp;ectx); EVP_EncryptInit(amp;ectx, EVP_bf_cbc(), password, iv); bzero (amp;enc_inbuf, input_buf_size); if(!EVP_EncryptUpdate(amp;ectx, enc_outbuf, amp;encoutlen, string, strlen(string))) { printf(Error whilst EncryptUpdate\n); return 0; } if(!EVP_EncryptFinal(amp;ectx, enc_outbuf + encoutlen, amp;enctotallen)) { printf(Error Whilst EncryptFinal\n); return 0; } encoutlen += enctotallen; printf(Encryption Successful\n\n); printf(Entering Decryption Stage\n\n); EVP_CIPHER_CTX_init(amp;dctx); EVP_DecryptInit(amp;dctx, EVP_bf_cbc(), password, iv); bzero (amp;dec_inbuf, output_buf_size); bzero (amp;dec_outbuf, input_buf_size); if (!(EVP_DecryptUpdate(amp;dctx, dec_outbuf, amp;decoutlen, enc_outbuf, output_buf_size))) { printf(Error Whilst DecryptUpdate\n); return 0; } if (!(EVP_DecryptFinal(amp;dctx, dec_outbuf + decoutlen, amp;dectotallen))) { printf(Error Whilst DecryptFinal\n); ERR_print_errors_fp(stdout); return 0; } decoutlen += dectotallen; printf(Decryption Successful\n\n); printf(Decrypted String is: %s\n, dec_outbuf); return 0; } Any help will be highly appreciated! Regards Peter
Re: Re: Help me fix this code
Hi Peter, Add padding for CBC mode encryption. Or u can use CFB mode. EVB_bf_cfb() -Shafeek Hi, Thank you for the reply. I have edit the code. Source Code: //gcc blowfish2.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall #include #include #include #include #include #define input_buf_size 1024 #define output_buf_size 1032 int main(int argc, char *argv[]) { if (argc !=2) { printf(Usage: test1 \n); exit(1); } char *string; int encoutlen, decoutlen, enctotallen, dectotallen; unsigned char iv[8]; unsigned char password[16]; unsigned char enc_outbuf[output_buf_size]; char enc_inbuf[input_buf_size]; unsigned char dec_outbuf[input_buf_size]; char dec_inbuf[output_buf_size]; EVP_CIPHER_CTX ectx; EVP_CIPHER_CTX dctx; /* * Begin the encode - decode * * Get our inputs and the random IV * */ string = argv[1]; RAND_bytes(iv, 8); RAND_bytes(password, 16); printf(Entering Encryption Stage:\n\n); printf(String to encrypt: %s\n\n, string); EVP_CIPHER_CTX_init(amp;ectx); EVP_EncryptInit(amp;ectx, EVP_bf_cfb(), password, iv); bzero (amp;enc_inbuf, input_buf_size); if(!EVP_EncryptUpdate(amp;ectx, enc_outbuf, amp;encoutlen, string, strlen(string))) { printf(Error whilst EncryptUpdate\n); return 0; } if(!EVP_EncryptFinal(amp;ectx, enc_outbuf + encoutlen, amp;enctotallen)) { printf(Error Whilst EncryptFinal\n); return 0; } encoutlen += enctotallen; printf(Encryption Successful\n\n); printf(Entering Decryption Stage\n\n); EVP_CIPHER_CTX_init(amp;dctx); EVP_DecryptInit(amp;dctx, EVP_bf_cfb(), password, iv); bzero (amp;dec_inbuf, output_buf_size); bzero (amp;dec_outbuf, input_buf_size); if (!(EVP_DecryptUpdate(amp;dctx, dec_outbuf, amp;decoutlen, enc_outbuf, output_buf_size))) { printf(Error Whilst DecryptUpdate\n); return 0; } if (!(EVP_DecryptFinal(amp;dctx, dec_outbuf + decoutlen, amp;dectotallen))) { printf(Error Whilst DecryptFinal\n); ERR_print_errors_fp(stdout); return 0; } decoutlen += dectotallen; printf(Decryption Successful\n\n); printf(Decrypted String is: %s\n, dec_outbuf); return 0; } This is the output: [root@localhost test]# ./a.out dcee Entering Encryption Stage: String to encrypt: dcee Encryption Successful Entering Decryption Stage Decryption Successful Decrypted String is: dcee�� s���h[j�l��ȥg�L^�aPB=� everytime the string after dcee is diffrent. So I need padding. Could you edit the source code in proper way. I have no idea how to add padding. Regards Peter - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: Re: Cannot encrypt text - need help
So I need a high performance solution that can handle many connections with little server load. 1. SSL is a good solution but is not high performance - it's more suitable for encryption of a web page. When establishing connection more that 100 connections are used to perform the SSL handshake and is not suitable for big bynary data. I don't know where you're getting that from, but it's totally incorrect. The SSL handshake, if repeated between the same two endpoints multiple times, is quite high performance because the sessions can be cached. As for big binary data, why do you think SSL is unsuitable? My mistake, sorry. 2. Symethric encryption is more suitable because it is higth performance and will scale very well. SSL is symmetric encryption. PK is used for session setup and key negotiation, but the encryption of bulk data is symmetric. I need a high performance optimizad solution. What is your opinion? What will be the best approach? SSL. It's already well-maintained and heavily optimized. It can easily be proxied without understanding the underlying application protocol. Padding, message integrity, session caching, authentication and the like are already done. As a plus, SSL permits easily adjusting the encryption and authentication schemes to provide the desired balance between performance and security. And SSL accelerators are widely available -- for example, newer Intel processors have AES acceleration, so if you use SSL, those who have them can choose AES as the bulk encryption protocol. Had you decided on blowfish and locked it in the way you seem to be planning, it would take significant changes to get the benefit of AES-NI. Also, you will have a much harder time getting your project accepted if you just made up the security scheme yourself. The effort required to ensure the scheme was properly designed and implemented (especially given all the false starts and misunderstandings so far) would almost certainly drastically outweigh any hypothetical performance benefit you might get. DS Ok, I agree. It's better to use SSL. Do you know where I can find multithreaded and optimazed source code of SSL server and client? I found many examples with SSL servers but they are simple examples. And also have you see benchmarks of the latest openssl version? Regards Peter - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: RE: Cannot encrypt text - need help
On 5/1/2011 1:34 AM, derleader mail wrote: I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part We mean application protocol. while (1) { sock = accept(listensock, NULL, NULL); printf(client connected to child thread %i with pid %i.\n, pthread_self(), getpid()); pthread_t and pid_t are not required to be int and sometimes aren't. I don't think they're even required to be any integers. nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; Where buffer is char[25]. If the client always sends 25 bytes (or more) this will write outside the space allocated for buffer[]. This is undefined behavior in C and the program can fail arbitrarily. On today's systems usually this will 'accidentally' work, but you have no confidence of that in the future. Either make maximum read at least one byte smaller than buffer, or buffer at least one byte larger than maximum read. Also, recv() returns -1 if error; storing to buffer[-1] is also undefined and more likely to actually screw up. For that matter, accept() can fail and return not a valid socket, in which case the recv() and send() can't succeed. printf(%s\n, buffer); If this is the only reason you wanted null termination, you could do printf(%.*s\n,nread,buffer) instead. send(sock, buffer, nread, 0); close(sock); printf(client disconnected from child thread %i with pid %i.\n, pthread_self(), getpid()); } } This code isn't very helpful. It just reads and writes the very same data. Nothing in this code tells us, for example, how to identify a complete message. Unless the messages are fixed-length 25 bytes. I've seen crazier. You could interpose an encryption protocol that also imposed no such requirements. You would need to work out your own padding though. Blowfish is a block encryption algorithm and cannot encrypt just a single byte. So if you only read one byte, you'd need to pad it before encryption and then you'd need some way to remove the padding on the other end. Not quite; OP's earlier code had Blowfish *CFB*, a stream mode that can handle any number of bytes. (The mode itself can handle any number of bits, but the OpenSSL API doesn't handle sub-byte amounts.) However a stream mode is generally more vulnerable to bit-flipping unless authenticated, which the OP didn't. Also his 'test' had a fixed IV (and key), but maybe that was only a test. I would strongly urge you to just use SSL. It is designed for *exactly* this purpose. Agree there. Also it should be noted session caching only helps if both ends support (and allow) it; it is optional. If you write both programs and use OpenSSL, it's easy, but in some other situations it might not be. Ok, I agree I will use SSL. Do you know where I can find multithreaded source code of SSL server and client? Have you see benchmark tests of the latest OpenSSL library? Regards Peter - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: Re: Re: Help me fix this code
Hi Peter, The extra string in o/p is due to error in coding. u r passing incorrect length in EVP_DecryptUpdate. if (!(EVP_DecryptUpdate(amp;dctx, dec_outbuf, amp;decoutlen, enc_outbuf, output_buf_size))) change above line to if (!(EVP_DecryptUpdate(amp;dctx, dec_outbuf, amp;decoutlen, enc_outbuf, encoutlen))) -Shafeek It works vey good! Thank you! Peter On Mon, May 2, 2011 at 3:09 PM, derleader mail derlea...@abv.bg wrote: Hi Peter, Add padding for CBC mode encryption. Or u can use CFB mode. EVB_bf_cfb() -Shafeek Hi, Thank you for the reply. I have edit the code. Source Code: //gcc blowfish2.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall #include #include #include #include #include #define input_buf_size 1024 #define output_buf_size 1032 int main(int argc, char *argv[]) { if (argc !=2) { printf(Usage: test1 \n); exit(1); } char *string; int encoutlen, decoutlen, enctotallen, dectotallen; unsigned char iv[8]; unsigned char password[16]; unsigned char enc_outbuf[output_buf_size]; char enc_inbuf[input_buf_size]; unsigned char dec_outbuf[input_buf_size]; char dec_inbuf[output_buf_size]; EVP_CIPHER_CTX ectx; EVP_CIPHER_CTX dctx; /* * Begin the encode - decode * * Get our inputs and the random IV * */ string = argv[1]; RAND_bytes(iv, 8); RAND_bytes(password, 16); printf(Entering Encryption Stage:\n\n); printf(String to encrypt: %s\n\n, string); EVP_CIPHER_CTX_init(amp;ectx); EVP_EncryptInit(amp;ectx, EVP_bf_cfb(), password, iv); bzero (amp;enc_inbuf, input_buf_size); if(!EVP_EncryptUpdate(amp;ectx, enc_outbuf, amp;encoutlen, string, strlen(string))) { printf(Error whilst EncryptUpdate\n); return 0; } if(!EVP_EncryptFinal(amp;ectx, enc_outbuf + encoutlen, amp;enctotallen)) { printf(Error Whilst EncryptFinal\n); return 0; } encoutlen += enctotallen; printf(Encryption Successful\n\n); printf(Entering Decryption Stage\n\n); EVP_CIPHER_CTX_init(amp;dctx); EVP_DecryptInit(amp;dctx, EVP_bf_cfb(), password, iv); bzero (amp;dec_inbuf, output_buf_size); bzero (amp;dec_outbuf, input_buf_size); if (!(EVP_DecryptUpdate(amp;dctx, dec_outbuf, amp;decoutlen, enc_outbuf, output_buf_size))) { printf(Error Whilst DecryptUpdate\n); return 0; } if (!(EVP_DecryptFinal(amp;dctx, dec_outbuf + decoutlen, amp;dectotallen))) { printf(Error Whilst DecryptFinal\n); ERR_print_errors_fp(stdout); return 0; } decoutlen += dectotallen; printf(Decryption Successful\n\n); printf(Decrypted String is: %s\n, dec_outbuf); return 0; } This is the output: [root@localhost test]# ./a.out dcee Entering Encryption Stage: String to encrypt: dcee Encryption Successful Entering Decryption Stage Decryption Successful Decrypted String is: dcee�� s�� � h[j �l��ȥg�L^�aPB=� everytime the string after dcee is diffrent. So I need padding. Could you edit the source code in proper way. I have no idea how to add padding. Regards Peter - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500a=1875689g=19425934
Re: RE: Cannot encrypt text - need help
I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part We mean application protocol. while (1) { sock = accept(listensock, NULL, NULL); printf(client connected to child thread %i with pid %i.\n, pthread_self(), getpid()); pthread_t and pid_t are not required to be int and sometimes aren't. I don't think they're even required to be any integers. nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; Where buffer is char[25]. If the client always sends 25 bytes (or more) this will write outside the space allocated for buffer[]. This is undefined behavior in C and the program can fail arbitrarily. On today's systems usually this will 'accidentally' work, but you have no confidence of that in the future. Either make maximum read at least one byte smaller than buffer, or buffer at least one byte larger than maximum read. Also, recv() returns -1 if error; storing to buffer[-1] is also undefined and more likely to actually screw up. For that matter, accept() can fail and return not a valid socket, in which case the recv() and send() can't succeed. printf(%s\n, buffer); If this is the only reason you wanted null termination, you could do printf(%.*s\n,nread,buffer) instead. send(sock, buffer, nread, 0); close(sock); printf(client disconnected from child thread %i with pid %i.\n, pthread_self(), getpid()); } } This code isn't very helpful. It just reads and writes the very same data. Nothing in this code tells us, for example, how to identify a complete message. Unless the messages are fixed-length 25 bytes. I've seen crazier. You could interpose an encryption protocol that also imposed no such requirements. You would need to work out your own padding though. Blowfish is a block encryption algorithm and cannot encrypt just a single byte. So if you only read one byte, you'd need to pad it before encryption and then you'd need some way to remove the padding on the other end. Not quite; OP's earlier code had Blowfish *CFB*, a stream mode that can handle any number of bytes. (The mode itself can handle any number of bits, but the OpenSSL API doesn't handle sub-byte amounts.) However a stream mode is generally more vulnerable to bit-flipping unless authenticated, which the OP didn't. Also his 'test' had a fixed IV (and key), but maybe that was only a test. I would strongly urge you to just use SSL. It is designed for *exactly* this purpose. Agree there. Also it should be noted session caching only helps if both ends support (and allow) it; it is optional. If you write both programs and use OpenSSL, it's easy, but in some other situations it might not be. One more question: If I decide to go with openssl and blowfish what are the potential threats? Is there another security mechanism that I can use with blowfish? Regards Peter
Re: RE: RE: Cannot encrypt text - need help
If I decide to go with openssl and blowfish what are the potential threats? Yes, heaps of. You might consider asking more detailed. Is there another security mechanism that I can use with blowfish? Of course... But what exactly do you want to know? If you can use SSL and Blowfish? It does not appear in http://www.openssl.org/docs/apps/ciphers.html. Yes the web site and the book about the OpenSSL is outdated. If you have to design high performance server which must be able to process many requests from clients how are you going to design it? Lets say something like Nagios. Could you explain in details? Regards Peter
Re: Re: Re: Cannot encrypt text - need help
The encrypted output is not a NULL terminated string so strlen will not work. EVP_DecryptUpdate(amp;ctx, (unsigned char *)plaintextz, amp;out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen (). Is there other solution? Hi, What protocol are you using? If you cannot send the length of the encrypted data, then you cannot decrypt it properly. I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part #include #include #include #include #include #include void* thread_proc(void *arg); int main(int argc, char *argv[]) { struct sockaddr_in sAddr; int listensock; int result; int nchildren = 1; pthread_t thread_id; int x; int val; if (argc 1) { nchildren = atoi(argv[1]); } listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); val = 1; result = setsockopt(listensock, SOL_SOCKET, SO_REUSEADDR, amp;val, sizeof(val)); if (result 0) { perror(server5); return 0; } sAddr.sin_family = AF_INET; sAddr.sin_port = htons(1972); sAddr.sin_addr.s_addr = INADDR_ANY; result = bind(listensock, (struct sockaddr *) amp;sAddr, sizeof(sAddr)); if (result 0) { perror(exserver5); return 0; } result = listen(listensock, 5); if (result 0) { perror(exserver5); return 0; } for (x = 0; x nchildren; x++) { result = pthread_create(amp;thread_id, NULL, thread_proc, (void *) listensock); if (result != 0) { printf(Could not create thread.\n); return 0; } sched_yield(); } pthread_join (thread_id, NULL); } void* thread_proc(void *arg) { int listensock, sock; char buffer[25]; int nread; listensock = (int) arg; while (1) { sock = accept(listensock, NULL, NULL); printf(client connected to child thread %i with pid %i.\n, pthread_self(), getpid()); nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; printf(%s\n, buffer); send(sock, buffer, nread, 0); close(sock); printf(client disconnected from child thread %i with pid %i.\n, pthread_self(), getpid()); } }
Re: Re: Re: Re: Cannot encrypt text - need help
What protocol are you using? What I mean is application layer protocol. But since in your example, you're using your own protocol, why not send both length and data. Example. Then in you receiving end, do recv 4 bytes, get length, and recv until received data equals to length. And decrypt. - re You mean furst to send the encryped string and next the length of the string as value? Example for server: send(sock, encrypted_string, 25, 0); send(sock, encrypted_string_length, 25, 0); For client recv(sock, encrypted_string, 25, 0); recv(sock, encrypted_string_length, 25, 0); On Sun, May 1, 2011 at 4:34 PM, derleader mail derlea...@abv.bg wrote: The encrypted output is not a NULL terminated string so strlen will not work. EVP_DecryptUpdate(amp;ctx, (unsigned char *)plaintextz, amp;out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen (). Is there other solution? Hi, What protocol are you using? If you cannot send the length of the encrypted data, then you cannot decrypt it properly. I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part #include #include #include #include #include #include void* thread_proc(void *arg); int main(int argc, char *argv[]) { struct sockaddr_in sAddr; int listensock; int result; int nchildren = 1; pthread_t thread_id; int x; int val; if (argc 1) { nchildren = atoi(argv[1]); } listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); val = 1; result = setsockopt(listensock, SOL_SOCKET, SO_REUSEADDR, amp;val, sizeof(val)); if (result 0) { perror(server5); return 0; } sAddr.sin_family = AF_INET; sAddr.sin_port = htons(1972); sAddr.sin_addr.s_addr = INADDR_ANY; result = bind(listensock, (struct sockaddr *) amp;sAddr, sizeof(sAddr)); if (result 0) { perror(exserver5); return 0; } result = listen(listensock, 5); if (result 0) { perror(exserver5); return 0; } for (x = 0; x nchildren; x++) { result = pthread_create(amp;thread_id, NULL, thread_proc, (void *) listensock); if (result != 0) { printf(Could not create thread.\n); return 0; } sched_yield(); } pthread_join (thread_id, NULL); } void* thread_proc(void *arg) { int listensock, sock; char buffer[25]; int nread; listensock = (int) arg; while (1) { sock = accept(listensock, NULL, NULL); printf(client connected to child thread %i with pid %i.\n, pthread_self(), getpid()); nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; printf(%s\n, buffer); send(sock, buffer, nread, 0); close(sock); printf(client disconnected from child thread %i with pid %i.\n, pthread_self(), getpid()); } }
Re: Re: Cannot encrypt text - need help
I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part We mean application protocol. while (1) { sock = accept(listensock, NULL, NULL); printf(client connected to child thread %i with pid %i.\n, pthread_self(), getpid()); nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; printf(%s\n, buffer); send(sock, buffer, nread, 0); close(sock); printf(client disconnected from child thread %i with pid %i.\n, pthread_self(), getpid()); } } This code isn't very helpful. It just reads and writes the very same data. Nothing in this code tells us, for example, how to identify a complete message. You could interpose an encryption protocol that also imposed no such requirements. You would need to work out your own padding though. Blowfish is a block encryption algorithm and cannot encrypt just a single byte. So if you only read one byte, you'd need to pad it before encryption and then you'd need some way to remove the padding on the other end. I would strongly urge you to just use SSL. It is designed for *exactly* this purpose. DS Thank you David. I will give you more information about the code I'm goind to write. What is the purpose of the project? This is a open source project - I need a way to monitor a huge number of servers - monitor CPU load, RAM load, HDD load, installed packets and etc. The data which will gathered will be structured in JSON format and sended to one main server - Centos x86_64. The load will very high - every for example 2 hours the main Centos server will make checks of the monitored servers - this means that the monitored servers will establish connection with the main server and exchange JSON data maybe 200+ lines. Later on it will be added support for remote patching - this will include trasportation of installable rpm file to the remote server - sometimes bigger files will be transported. So I need a high performance solution that can handle many connections with little server load. 1. SSL is a good solution but is not high performance - it's more suitable for encryption of a web page. When establishing connection more that 100 connections are used to perform the SSL handshake and is not suitable for big bynary data. 2. Symethric encryption is more suitable because it is higth performance and will scale very well. I need a high performance optimizad solution. What is your opinion? What will be the best approach? Regards Peter
Re: Re: Cannot encrypt text - need help
Don't you know how much data you've read that you're about to decrypt? in your code template, you showed the sendign routine doing... nread = recv(sock, buffer, 25, 0); isn't the recieving routine doing somethign similar? well, nread would be the length you need, no? Yes it's true. I also think this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Cannot encrypt text - need help
Hi, I'm trying to code a C program that can convert very big number of characters. The problem is that there is an error in decryption. This is the code: //gcc test_Blowfish.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall #include #include #include #include #include int main(void) { char plaintext[1024] = {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa; char plaintextz[1024]; char ciphertext[1024]= {0,}; char mykey[EVP_MAX_KEY_LENGTH] = blowfish_key; char iv[EVP_MAX_IV_LENGTH] = blowfish; int tmp_len = 0, in_len, out_len=0; EVP_CIPHER_CTX ctx; //memset(mykey,0,sizeof(mykey)); //memset(iv,0,sizeof(iv)); printf(No encrypt: %s\n, plaintext); printf(No encrypt size: %d\n, strlen(plaintext)); //Encrypt EVP_EncryptInit(amp;ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_EncryptUpdate(amp;ctx, (unsigned char *)ciphertext, amp;out_len, (unsigned char *)plaintext, strlen(plaintext)); //Block through the mem to be encrypted tmp_len += out_len; EVP_EncryptFinal(amp;ctx, (unsigned char *) amp;ciphertext[out_len], amp;out_len); //Finish any remaining encryption and throw a pad on tmp_len += out_len; printf(Encrypted: %s\n, ciphertext); printf(Encrypted size: %d\n, tmp_len); //Reset memory for Decryption // memset(plaintext,0,sizeof(plaintext)); in_len = tmp_len; out_len = tmp_len = 0; //decrypt EVP_DecryptInit(amp;ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_DecryptUpdate(amp;ctx, (unsigned char *)plaintextz, amp;out_len, (unsigned char *)ciphertext, strlen(ciphertext)); tmp_len += out_len; EVP_DecryptFinal(amp;ctx, (unsigned char *)amp;plaintextz[out_len], amp;out_len); tmp_len += out_len; //Zero out the pad memset(amp;plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); printf(Decrypted : %s\n, plaintextz); printf(Decrypted size: %d\n, tmp_len); printf(Block Size: %d\n,EVP_CIPHER_CTX_block_size(amp;ctx)); return 0; } This is the output: [root@localhost test]# ./a.out No encrypt: {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa No encrypt size: 267 Encrypted: �A-��W=?:�$�i�_�8:�F�wo#�5�@D�mo��-I���F�Q�J�#��F�0b�;�`�C䦱�~6�)ހ�YG�ed�Ӕ�Z%�9!mdvϋ���\���QB��}�N@_�W�F�e� Encrypted size: 267 Decrypted : {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:4242 Decrypted size: 131 Block Size: 1 As youy see the decrypted size number is less that the original. Any idea where is the problem?
Re: Re: Cannot encrypt text - need help
Hi, The encrypted output is not a NULL terminated string so strlen will not work. EVP_DecryptUpdate(amp;ctx, (unsigned char *)plaintextz, amp;out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen (). Is there other solution? Regards - re On Sun, May 1, 2011 at 12:27 AM, derleader mail derlea...@abv.bg wrote: Hi, I'm trying to code a C program that can convert very big number of characters. The problem is that there is an error in decryption. This is the code: //gcc test_Blowfish.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall #include #include #include #include #include int main(void) { char plaintext[1024] = {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa; char plaintextz[1024]; char ciphertext[1024]= {0,}; char mykey[EVP_MAX_KEY_LENGTH] = blowfish_key; char iv[EVP_MAX_IV_LENGTH] = blowfish; int tmp_len = 0, in_len, out_len=0; EVP_CIPHER_CTX ctx; //memset(mykey,0,sizeof(mykey)); //memset(iv,0,sizeof(iv)); printf(No encrypt: %s\n, plaintext); printf(No encrypt size: %d\n, strlen(plaintext)); //Encrypt EVP_EncryptInit(amp;ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_EncryptUpdate(amp;ctx, (unsigned char *)ciphertext, amp;out_len, (unsigned char *)plaintext, strlen(plaintext)); //Block through the mem to be encrypted tmp_len += out_len; EVP_EncryptFinal(amp;ctx, (unsigned char *) amp;ciphertext[out_len], amp;out_len); //Finish any remaining encryption and throw a pad on tmp_len += out_len; printf(Encrypted: %s\n, ciphertext); printf(Encrypted size: %d\n, tmp_len); //Reset memory for Decryption // memset(plaintext,0,sizeof(plaintext)); in_len = tmp_len; out_len = tmp_len = 0; //decrypt EVP_DecryptInit(amp;ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_DecryptUpdate(amp;ctx, (unsigned char *)plaintextz, amp;out_len, (unsigned char *)ciphertext, strlen(ciphertext)); tmp_len += out_len; EVP_DecryptFinal(amp;ctx, (unsigned char *)amp;plaintextz[out_len], amp;out_len); tmp_len += out_len; //Zero out the pad memset(amp;plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); printf(Decrypted : %s\n, plaintextz); printf(Decrypted size: %d\n, tmp_len); printf(Block Size: %d\n,EVP_CIPHER_CTX_block_size(amp;ctx)); return 0; } This is the output: [root@localhost test]# ./a.out No encrypt: {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa No encrypt size: 267 Encrypted: �A-�� W =?:�$�i �_�8:�F�wo#�5 � @D�mo��-I ���F�Q�J�#��F�0b� ;�`� C䦱�~6�)ހ�YG �ed�Ӕ�Z%�9!mdvϋ���\���QB��}�N @_�W�F�e� Encrypted size: 267 Decrypted : {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:4242 Decrypted size: 131 Block Size: 1 As youy see the decrypted size number is less that the original. Any idea where is the problem?
Blowfish implementation with OpenSSL
Hi, I'm working on implementation of OpenSSL and Blowfish. Can you help me to improve the code, Is there a problem in the code? C code: //cl test_AES.c /IC:\openssl\include /linkC:\openssl\lib\libeay32.lib //gcc test_AES.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall #include #include #include #include #include int main(void) { char plaintext[1024] = Hello World? - this is a test of Blowfish! of which I'm curious to see if it really is working.\n; char ciphertext[1024]= {0,}; char mykey[EVP_MAX_KEY_LENGTH] = blowfish_key; char iv[EVP_MAX_IV_LENGTH] = blowfish; int tmp_len = 0, in_len, out_len=0; EVP_CIPHER_CTX ctx; //memset(mykey,0,sizeof(mykey)); //memset(iv,0,sizeof(iv)); in_len = strlen(plaintext); printf(No encrypt: %s\n, plaintext); //Encrypt EVP_EncryptInit(amp;ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_EncryptUpdate(amp;ctx, (unsigned char *)ciphertext, amp;out_len, (unsigned char *)plaintext, in_len); //Block through the mem to be encrypted tmp_len += out_len; EVP_EncryptFinal(amp;ctx, (unsigned char *) amp;ciphertext[out_len], amp;out_len); //Finish any remaining encryption and throw a pad on tmp_len += out_len; printf(Encrypted: %s\n, ciphertext); //Reset memory for Decryption memset(plaintext,0,sizeof(plaintext)); in_len = tmp_len; out_len = tmp_len = 0; //decrypt EVP_DecryptInit(amp;ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_DecryptUpdate(amp;ctx, (unsigned char *)plaintext, amp;out_len, (unsigned char *)ciphertext, in_len); tmp_len += out_len; EVP_DecryptFinal(amp;ctx, (unsigned char *)amp;plaintext[out_len], amp;out_len); tmp_len += out_len; //Zero out the pad memset(amp;plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); printf(Decrypted: %s\n, plaintext); printf(Block Size: %d\n,EVP_CIPHER_CTX_block_size(amp;ctx)); return 0; }
Best book with examples for OpenSSL
Hi, I found several books about OpenSSL. This book seems the best one http://oreilly.com/catalog/9780596003944 There is another book for http://www.opensslbook.com/ but it seems very outdated. Is there other books or tutorials with ready made examples? Regards Peter
Re: Re: Best book with examples for OpenSSL
Hi. I'm in the process of learning the API myself. I had concerns about the book Network Programming with OpenSSL. Having consulted someone with experience in this matter it appears that the API itself has changed very little and the book is still relevant. The cryptographic functions within the library are kept current but they are still accessed through the same API. Is this a fair statement? I am looking for specific information on using the library in a multi-threaded / asynchronous IO server (Windows - using IOCP). I'd appreciate any information on the subject. An example would be great. Best regards, Andre Hi, I'm too looking for multi-threaded example but for synchronous IO server for Linux. Has anyone know are there example code? Regards Peter
Compile OpenSSL with minimum modules
Hi, I need to compile OpenSSL only with support for Symmetric encryption - only 3DES support. How I can remove all unneeded stuff? Can you give an advice what to remove and how to remove it? Regards Peter
Re: Re: Compile OpenSSL with minimum modules
Hi, I need to compile OpenSSL only with support for Symmetric encryption - only 3DES support. How I can remove all unneeded stuff? Can you give an advice what to remove and how to remove it? I suppose one approach would be to run a test suite that does just what you need (and everything you need) with a debug build of openssl, and run it under a code profiler (such as Intel's VTune), iterate this sufficiently to get adequate code coverage, then seen what big chunks DONT get touched, and add #IF's around them to block them out, rebuild, and iterate until it meets your requirements. Thank you for the reply! Unfortunately I'm working with C from several weels. Can you explain me this in more details how to do this? Regards Peter
Multithreaded server example of OpenSSL
Hi, I need a multithreaded OpenSSL server which can handle multiple clients. Is there full example of such a server? Regards Peter