RE: RE: RE: Cannot encrypt text - need help
* derleader mail on Monday, May 02, 2011 8:14 PM > > But what exactly do you want to know? If you can use SSL and > > Blowfish? > > It does not appear in http://www.openssl.org/docs/apps/ciphers.html. > > > Yes the web site and the book about the OpenSSL is outdated. Does TLS spec nowadays defines a Blowfish cipher suite? > If you have to design high performance server which must be > able to process many requests from clients how are you going > to design it? Lets say something like Nagios. Could you > explain in details? I would have one or two central Nagios servers that remotely collect the data. I would consider SSL (probably in form of stunnel) and SSH. Since establishing costs most performance, the SSL or SSH tunnel should be kept. I think first I would favor SSH, because I have a Linux Nagios server and would use some u*nx for the high performance servers and would have SSH available anyway. By this, the plugins running on the Nagios server could be shell scripts (or perl or whatever). Maybe having some server reachable locally only, thus remotely via stunnel or SSH port forwarder, could offer the needed data, which could be queried by Nagios plugin scripts. Of course all of this depends on the detailed requirements. I think, often monitoring has to be maintained and extended (i.e. when the UPS failed the first time, from that on you will monitor the serial link to it and it's battery level etc), so I think it is good to have something that can quickly adopted to new requirements. To monitor load and disk usage, BTW, I do not use any cryptography, because this is non-secret data in the monitoring net (read-only SNMP is used). oki, Steffen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RE: RE: Cannot encrypt text - need help
>> If I decide to go with openssl and blowfish what are the >> potential threats? > >Yes, heaps of. >You might consider asking more detailed. > >> Is there another security mechanism that I can use with blowfish? > >Of course... >But what exactly do you want to know? If you can use SSL and Blowfish? >It does not appear in http://www.openssl.org/docs/apps/ciphers.html. > Yes the web site and the book about the OpenSSL is outdated. If you have to design high performance server which must be able to process many requests from clients how are you going to design it? Lets say something like Nagios. Could you explain in details? Regards Peter
RE: RE: Cannot encrypt text - need help
> If I decide to go with openssl and blowfish what are the > potential threats? Yes, heaps of. You might consider asking more detailed. > Is there another security mechanism that I can use with blowfish? Of course... But what exactly do you want to know? If you can use SSL and Blowfish? It does not appear in http://www.openssl.org/docs/apps/ciphers.html. -- About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot encrypt text - need help
On Mon May 2 2011, derleader mail wrote: >>> > I'm going to use stream protocol - TCP/IP. Here is the > >> template source > >> > code of the server without the encryption part > >> > >> We mean application protocol. > >> > >> > while (1) { > >> > sock = accept(listensock, NULL, NULL); > >> > printf("client connected to child thread %i with pid %i.\n", > >> > pthread_self(), getpid()); > > > >pthread_t and pid_t are not required to be int and sometimes aren't. > >I don't think they're even required to be any integers. > > > >> > nread = recv(sock, buffer, 25, 0); > >> > buffer[nread] = '\0'; > > > >Where buffer is char[25]. If the client always sends 25 bytes > >(or more) this will write outside the space allocated for buffer[]. > >This is undefined behavior in C and the program can fail arbitrarily. > >On today's systems usually this will 'accidentally' work, > >but you have no confidence of that in the future. > >Either make maximum read at least one byte smaller than buffer, > >or buffer at least one byte larger than maximum read. > > > >Also, recv() returns -1 if error; storing to buffer[-1] > >is also undefined and more likely to actually screw up. > > > >For that matter, accept() can fail and return not a valid socket, > >in which case the recv() and send() can't succeed. > > > >> > printf("%s\n", buffer); > > > >If this is the only reason you wanted null termination, > >you could do printf("%.*s\n",nread,buffer) instead. > > > >> > send(sock, buffer, nread, 0); > >> > close(sock); > >> > printf("client disconnected from child thread %i with pid %i.\n", > >> > pthread_self(), getpid()); > >> > } > >> > } > >> > >> This code isn't very helpful. It just reads and writes the very same > >> data. Nothing in this code tells us, for example, how to identify a > >> complete message. > >> > >Unless the messages are fixed-length 25 bytes. I've seen crazier. > > > >> You could interpose an encryption protocol that also imposed no such > >> requirements. You would need to work out your own padding though. > >> Blowfish is a block encryption algorithm and cannot encrypt just a > >> single byte. So if you only read one byte, you'd need to pad > >> it before > >> encryption and then you'd need some way to remove the padding on the > >> other end. > >> > >Not quite; OP's earlier code had Blowfish *CFB*, > >a stream mode that can handle any number of bytes. > >(The mode itself can handle any number of bits, but > >the OpenSSL API doesn't handle sub-byte amounts.) > > > >However a stream mode is generally more vulnerable to > >bit-flipping unless authenticated, which the OP didn't. > > > >Also his 'test' had a fixed IV (and key), > >but maybe that was only a test. > > > >> I would strongly urge you to just use SSL. It is designed for > >> *exactly* > >> this purpose. > >> > >Agree there. > > > >Also it should be noted session caching only helps > >if both ends support (and allow) it; it is optional. > >If you write both programs and use OpenSSL, it's easy, > >but in some other situations it might not be. > > > One more question: > > If I decide to go with openssl and blowfish what are the potential threats? > Is there another security mechanism that I can use with blowfish? > ??? What does the output of: 'openssl enc ?' have to say to you? Mine says that openssl does do Blowfish. ??? I thought you wrote that you wanted performance? Why then Blowfish instead of one of the encryptions supported in hardware? VIA processors do AES in hardware (and OpenSSL has an engine for it). Another poster mentioned that new Intel processors also do hardware AES. What does your project specification require that makes you choose Blowfish in software over something else in hardware? Mike > Regards > Peter > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RE: Cannot encrypt text - need help
>> > I'm going to use stream protocol - TCP/IP. Here is the >> template source >> > code of the server without the encryption part >> >> We mean application protocol. >> >> > while (1) { >> > sock = accept(listensock, NULL, NULL); >> > printf("client connected to child thread %i with pid %i.\n", >> > pthread_self(), getpid()); > >pthread_t and pid_t are not required to be int and sometimes aren't. >I don't think they're even required to be any integers. > >> > nread = recv(sock, buffer, 25, 0); >> > buffer[nread] = '\0'; > >Where buffer is char[25]. If the client always sends 25 bytes >(or more) this will write outside the space allocated for buffer[]. >This is undefined behavior in C and the program can fail arbitrarily. >On today's systems usually this will 'accidentally' work, >but you have no confidence of that in the future. >Either make maximum read at least one byte smaller than buffer, >or buffer at least one byte larger than maximum read. > >Also, recv() returns -1 if error; storing to buffer[-1] >is also undefined and more likely to actually screw up. > >For that matter, accept() can fail and return not a valid socket, >in which case the recv() and send() can't succeed. > >> > printf("%s\n", buffer); > >If this is the only reason you wanted null termination, >you could do printf("%.*s\n",nread,buffer) instead. > >> > send(sock, buffer, nread, 0); >> > close(sock); >> > printf("client disconnected from child thread %i with pid %i.\n", >> > pthread_self(), getpid()); >> > } >> > } >> >> This code isn't very helpful. It just reads and writes the very same >> data. Nothing in this code tells us, for example, how to identify a >> complete message. >> >Unless the messages are fixed-length 25 bytes. I've seen crazier. > >> You could interpose an encryption protocol that also imposed no such >> requirements. You would need to work out your own padding though. >> Blowfish is a block encryption algorithm and cannot encrypt just a >> single byte. So if you only read one byte, you'd need to pad >> it before >> encryption and then you'd need some way to remove the padding on the >> other end. >> >Not quite; OP's earlier code had Blowfish *CFB*, >a stream mode that can handle any number of bytes. >(The mode itself can handle any number of bits, but >the OpenSSL API doesn't handle sub-byte amounts.) > >However a stream mode is generally more vulnerable to >bit-flipping unless authenticated, which the OP didn't. > >Also his 'test' had a fixed IV (and key), >but maybe that was only a test. > >> I would strongly urge you to just use SSL. It is designed for >> *exactly* >> this purpose. >> >Agree there. > >Also it should be noted session caching only helps >if both ends support (and allow) it; it is optional. >If you write both programs and use OpenSSL, it's easy, >but in some other situations it might not be. One more question: If I decide to go with openssl and blowfish what are the potential threats? Is there another security mechanism that I can use with blowfish? Regards Peter
RE: Re: Cannot encrypt text - need help
* owner-openssl-us...@openssl.org > What is the purpose of the project? > > This is a open source project - I need a way to monitor a > huge number of servers - monitor CPU load, RAM load, HDD > load, installed packets and etc. Why not using http://www.nagios.org/? > The data which will gathered > will be structured in JSON format and sended to one main > server - Centos x86_64. The load will very high - every for > example 2 hours the main Centos server will make checks of > the monitored servers - this means that the monitored servers > will establish connection with the main server and exchange > JSON data maybe 200+ lines. Encrypting a few bytes with some stream cipher every two hours shouldn't be a problem for a PC server, even if it has some load, I think. > Later on it will be added support for remote patching - this > will include trasportation of installable rpm file to the > remote server - sometimes bigger files will be transported. Aren't there sophisticated existing solutions for that? To sync bigger files, "rsync -e ssh --bwlimit" comes to mind. > So I need a high performance solution that can handle many > connections with little server load. Why not using SSL, for example in form of stunnel, and keep the tunnel up all the time? Or keeping an SSH connection open, which might be easiest to use from shell scripts. SSH port tunneling might also help > 1. SSL is a good solution but is not high performance - it's > more suitable for encryption of a web page. When establishing > connection more that 100 connections are used to perform the > SSL handshake and is not suitable for big bynary data. This isn't right. I think you can safely expect that SSL/TLS is according to current knowledge close to the best possible performance without trading speed for security and it can be configured well (see stunnel with all it's options, for example). So SSL/TLS is fast (for the security it provides). > 2. Symethric encryption is more suitable because it is higth > performance and will scale very well. Yes, as used in SSL and SSH. (BTW, I think only symetric encryption is suited because asymetric does not work well for longer data) > I need a high performance optimizad solution. If you only need high performance (no security), why not using plain text TCP/IP communications (firewalled)? > What is your opinion? > What will be the best approach? Maybe have a look at Nagios and use remote monitor plug-in scripts using SSH-port-forwarded access, should be easy, safe, secure, performant, maintenable and based on tested components. oki, Steffen -- end of mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RE: Cannot encrypt text - need help
> >> On 5/1/2011 1:34 AM, derleader mail wrote: >> >> > I'm going to use stream protocol - TCP/IP. Here is the >> template source >> > code of the server without the encryption part >> >> We mean application protocol. >> >> > while (1) { >> > sock = accept(listensock, NULL, NULL); >> > printf("client connected to child thread %i with pid %i.\n", >> > pthread_self(), getpid()); > >pthread_t and pid_t are not required to be int and sometimes aren't. >I don't think they're even required to be any integers. > >> > nread = recv(sock, buffer, 25, 0); >> > buffer[nread] = '\0'; > >Where buffer is char[25]. If the client always sends 25 bytes >(or more) this will write outside the space allocated for buffer[]. >This is undefined behavior in C and the program can fail arbitrarily. >On today's systems usually this will 'accidentally' work, >but you have no confidence of that in the future. >Either make maximum read at least one byte smaller than buffer, >or buffer at least one byte larger than maximum read. > >Also, recv() returns -1 if error; storing to buffer[-1] >is also undefined and more likely to actually screw up. > >For that matter, accept() can fail and return not a valid socket, >in which case the recv() and send() can't succeed. > >> > printf("%s\n", buffer); > >If this is the only reason you wanted null termination, >you could do printf("%.*s\n",nread,buffer) instead. > >> > send(sock, buffer, nread, 0); >> > close(sock); >> > printf("client disconnected from child thread %i with pid %i.\n", >> > pthread_self(), getpid()); >> > } >> > } >> >> This code isn't very helpful. It just reads and writes the very same >> data. Nothing in this code tells us, for example, how to identify a >> complete message. >> >Unless the messages are fixed-length 25 bytes. I've seen crazier. > >> You could interpose an encryption protocol that also imposed no such >> requirements. You would need to work out your own padding though. >> Blowfish is a block encryption algorithm and cannot encrypt just a >> single byte. So if you only read one byte, you'd need to pad >> it before >> encryption and then you'd need some way to remove the padding on the >> other end. >> >Not quite; OP's earlier code had Blowfish *CFB*, >a stream mode that can handle any number of bytes. >(The mode itself can handle any number of bits, but >the OpenSSL API doesn't handle sub-byte amounts.) > >However a stream mode is generally more vulnerable to >bit-flipping unless authenticated, which the OP didn't. > >Also his 'test' had a fixed IV (and key), >but maybe that was only a test. > >> I would strongly urge you to just use SSL. It is designed for >> *exactly* >> this purpose. >> >Agree there. > >Also it should be noted session caching only helps >if both ends support (and allow) it; it is optional. >If you write both programs and use OpenSSL, it's easy, >but in some other situations it might not be. > Ok, I agree I will use SSL. Do you know where I can find multithreaded source code of SSL server and client? Have you see benchmark tests of the latest OpenSSL library? Regards Peter - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500&a=1875689&g=19425934
Re: Re: Cannot encrypt text - need help
>> So I need a high performance solution that can handle many connections >> with little server load. >> >> 1. SSL is a good solution but is not high performance - it's more >> suitable for encryption of a web page. When establishing connection more >> that 100 connections are used to perform the SSL handshake and is not >> suitable for big bynary data. > >I don't know where you're getting that from, but it's totally incorrect. >The SSL handshake, if repeated between the same two endpoints multiple >times, is quite high performance because the sessions can be cached. As >for big binary data, why do you think SSL is unsuitable? My mistake, sorry. > >> 2. Symethric encryption is more suitable because it is higth performance >> and will scale very well. > >SSL is symmetric encryption. PK is used for session setup and key >negotiation, but the encryption of bulk data is symmetric. > >> I need a high performance optimizad solution. >> >> What is your opinion? >> What will be the best approach? > >SSL. It's already well-maintained and heavily optimized. It can easily >be proxied without understanding the underlying application protocol. >Padding, message integrity, session caching, authentication and the like >are already done. > >As a plus, SSL permits easily adjusting the encryption and >authentication schemes to provide the desired balance between >performance and security. And SSL accelerators are widely available -- >for example, newer Intel processors have AES acceleration, so if you use >SSL, those who have them can choose AES as the bulk encryption protocol. >Had you decided on blowfish and locked it in the way you seem to be >planning, it would take significant changes to get the benefit of AES-NI. > >Also, you will have a much harder time getting your project accepted if >you just made up the security scheme yourself. The effort required to >ensure the scheme was properly designed and implemented (especially >given all the false starts and misunderstandings so far) would almost >certainly drastically outweigh any hypothetical performance benefit you >might get. > >DS > Ok, I agree. It's better to use SSL. Do you know where I can find multithreaded and optimazed source code of SSL server and client? I found many examples with SSL servers but they are simple examples. And also have you see benchmarks of the latest openssl version? Regards Peter - Дизайнерски обувки с до -70%. Регистрирай се и пазарувай. http://clk.tradedoubler.com/click?p=191500&a=1875689&g=19425934
RE: Cannot encrypt text - need help
> From: owner-openssl-us...@openssl.org On Behalf Of David Schwartz > Sent: Sunday, 01 May, 2011 06:03 > On 5/1/2011 1:34 AM, derleader mail wrote: > > > I'm going to use stream protocol - TCP/IP. Here is the > template source > > code of the server without the encryption part > > We mean application protocol. > > > while (1) { > > sock = accept(listensock, NULL, NULL); > > printf("client connected to child thread %i with pid %i.\n", > > pthread_self(), getpid()); pthread_t and pid_t are not required to be int and sometimes aren't. I don't think they're even required to be any integers. > > nread = recv(sock, buffer, 25, 0); > > buffer[nread] = '\0'; Where buffer is char[25]. If the client always sends 25 bytes (or more) this will write outside the space allocated for buffer[]. This is undefined behavior in C and the program can fail arbitrarily. On today's systems usually this will 'accidentally' work, but you have no confidence of that in the future. Either make maximum read at least one byte smaller than buffer, or buffer at least one byte larger than maximum read. Also, recv() returns -1 if error; storing to buffer[-1] is also undefined and more likely to actually screw up. For that matter, accept() can fail and return not a valid socket, in which case the recv() and send() can't succeed. > > printf("%s\n", buffer); If this is the only reason you wanted null termination, you could do printf("%.*s\n",nread,buffer) instead. > > send(sock, buffer, nread, 0); > > close(sock); > > printf("client disconnected from child thread %i with pid %i.\n", > > pthread_self(), getpid()); > > } > > } > > This code isn't very helpful. It just reads and writes the very same > data. Nothing in this code tells us, for example, how to identify a > complete message. > Unless the messages are fixed-length 25 bytes. I've seen crazier. > You could interpose an encryption protocol that also imposed no such > requirements. You would need to work out your own padding though. > Blowfish is a block encryption algorithm and cannot encrypt just a > single byte. So if you only read one byte, you'd need to pad > it before > encryption and then you'd need some way to remove the padding on the > other end. > Not quite; OP's earlier code had Blowfish *CFB*, a stream mode that can handle any number of bytes. (The mode itself can handle any number of bits, but the OpenSSL API doesn't handle sub-byte amounts.) However a stream mode is generally more vulnerable to bit-flipping unless authenticated, which the OP didn't. Also his 'test' had a fixed IV (and key), but maybe that was only a test. > I would strongly urge you to just use SSL. It is designed for > *exactly* > this purpose. > Agree there. Also it should be noted session caching only helps if both ends support (and allow) it; it is optional. If you write both programs and use OpenSSL, it's easy, but in some other situations it might not be. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot encrypt text - need help
On 5/1/2011 3:31 AM, derleader mail wrote: So I need a high performance solution that can handle many connections with little server load. 1. SSL is a good solution but is not high performance - it's more suitable for encryption of a web page. When establishing connection more that 100 connections are used to perform the SSL handshake and is not suitable for big bynary data. I don't know where you're getting that from, but it's totally incorrect. The SSL handshake, if repeated between the same two endpoints multiple times, is quite high performance because the sessions can be cached. As for big binary data, why do you think SSL is unsuitable? 2. Symethric encryption is more suitable because it is higth performance and will scale very well. SSL is symmetric encryption. PK is used for session setup and key negotiation, but the encryption of bulk data is symmetric. I need a high performance optimizad solution. What is your opinion? What will be the best approach? SSL. It's already well-maintained and heavily optimized. It can easily be proxied without understanding the underlying application protocol. Padding, message integrity, session caching, authentication and the like are already done. As a plus, SSL permits easily adjusting the encryption and authentication schemes to provide the desired balance between performance and security. And SSL accelerators are widely available -- for example, newer Intel processors have AES acceleration, so if you use SSL, those who have them can choose AES as the bulk encryption protocol. Had you decided on blowfish and locked it in the way you seem to be planning, it would take significant changes to get the benefit of AES-NI. Also, you will have a much harder time getting your project accepted if you just made up the security scheme yourself. The effort required to ensure the scheme was properly designed and implemented (especially given all the false starts and misunderstandings so far) would almost certainly drastically outweigh any hypothetical performance benefit you might get. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Cannot encrypt text - need help
>Don't you know how much data you've read that you're about to decrypt? > >in your code template, you showed the sendign routine doing... > > nread = recv(sock, buffer, 25, 0); > >isn't the recieving routine doing somethign similar? well, nread would >be the length you need, no? Yes it's true. I also think this. > > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing Listopenssl-users@openssl.org >Automated List Manager majord...@openssl.org >
Re: Re: Cannot encrypt text - need help
>> I'm going to use stream protocol - TCP/IP. Here is the template source >> code of the server without the encryption part > >We mean application protocol. > >> while (1) { >> sock = accept(listensock, NULL, NULL); >> printf("client connected to child thread %i with pid %i.\n", >> pthread_self(), getpid()); >> nread = recv(sock, buffer, 25, 0); >> buffer[nread] = '\0'; >> printf("%s\n", buffer); >> send(sock, buffer, nread, 0); >> close(sock); >> printf("client disconnected from child thread %i with pid %i.\n", >> pthread_self(), getpid()); >> } >> } > >This code isn't very helpful. It just reads and writes the very same >data. Nothing in this code tells us, for example, how to identify a >complete message. > >You could interpose an encryption protocol that also imposed no such >requirements. You would need to work out your own padding though. >Blowfish is a block encryption algorithm and cannot encrypt just a >single byte. So if you only read one byte, you'd need to pad it before >encryption and then you'd need some way to remove the padding on the >other end. > >I would strongly urge you to just use SSL. It is designed for *exactly* >this purpose. > >DS > Thank you David. I will give you more information about the code I'm goind to write. What is the purpose of the project? This is a open source project - I need a way to monitor a huge number of servers - monitor CPU load, RAM load, HDD load, installed packets and etc. The data which will gathered will be structured in JSON format and sended to one main server - Centos x86_64. The load will very high - every for example 2 hours the main Centos server will make checks of the monitored servers - this means that the monitored servers will establish connection with the main server and exchange JSON data maybe 200+ lines. Later on it will be added support for remote patching - this will include trasportation of installable rpm file to the remote server - sometimes bigger files will be transported. So I need a high performance solution that can handle many connections with little server load. 1. SSL is a good solution but is not high performance - it's more suitable for encryption of a web page. When establishing connection more that 100 connections are used to perform the SSL handshake and is not suitable for big bynary data. 2. Symethric encryption is more suitable because it is higth performance and will scale very well. I need a high performance optimizad solution. What is your opinion? What will be the best approach? Regards Peter
Re: Re: Re: Re: Cannot encrypt text - need help
On Sun, May 1, 2011 at 5:28 PM, derleader mail wrote: > >What protocol are you using? > What I mean is application layer protocol. But since in your example, > you're using your own protocol, > why not send both length and data. > Example. > <4 byte len field><0..2^32-1 data field> > > Then in you receiving end, do recv 4 bytes, get length, and recv until > received data equals to length. > > And decrypt. > > - re > > You mean furst to send the encryped string and next the length of the > string as value? > > Example for server: > > send(sock, encrypted_string, 25, 0); > send(sock, encrypted_string_length, 25, 0); > Example only: Assume, encrypted_data and encrypted_data_len are the the output of you encryption operation. For simplicity, copy to a separate buffer . memcpy(buff, &encrypted_data_len, sizeof(unsigned int)); // need to convert to network byte memcpy(buff+sizeof(unsigned int), encrypted_data, encrypted_data_len); total = sizeof(unsigned int) + encrypted_data_len; sent = 0; do { ret = send(sock, buff+sent, total-sent); sent += ret; } while (sent < total); > > For client > recv(sock, encrypted_string, 25, 0); > recv(sock, encrypted_string_length, 25, 0); > In your client side, first, received the first four bytes. Now that you have the encrypted length, received the data. Perform decryption. On Sun, May 1, 2011 at 4:34 PM, derleader mail wrote: > >> The encrypted output is not a NULL terminated string so strlen will not >> work. >> >> >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, >> (unsigned char *)ciphertext, strlen(ciphertext)); >> >> Use the length output from the encryption part. >> >> Thank you very much for the reply. The problem is that the encryption and >> decryption must be on separate machines. I need a way to take the size of >> the encrypted message using language function like strlen >> (). Is there other solution? >> > Hi, > > What protocol are you using? > If you cannot send the "length" of the encrypted data, then you cannot > decrypt it properly. > > > I'm going to use stream protocol - TCP/IP. Here is the template source code > of the server without the encryption part > > #include > #include > #include > #include > #include > #include > > void* thread_proc(void *arg); > > int main(int argc, char *argv[]) > { > struct sockaddr_in sAddr; > int listensock; > int result; > int nchildren = 1; > pthread_t thread_id; > int x; > int val; > > if (argc > 1) { > nchildren = atoi(argv[1]); > } > > listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); > > val = 1; > result = setsockopt(listensock, SOL_SOCKET, SO_REUSEADDR, &val, > sizeof(val)); > if (result < 0) { > perror("server5"); > return 0; > } > > sAddr.sin_family = AF_INET; > sAddr.sin_port = htons(1972); > sAddr.sin_addr.s_addr = INADDR_ANY; > > result = bind(listensock, (struct sockaddr *) &sAddr, sizeof(sAddr)); > if (result < 0) { > perror("exserver5"); > return 0; > } > > result = listen(listensock, 5); > if (result < 0) { > perror("exserver5"); > return 0; > } > >for (x = 0; x < nchildren; x++) { > result = pthread_create(&thread_id, NULL, thread_proc, (void *) > listensock); > if (result != 0) { > printf("Could not create thread.\n"); > return 0; > } > sched_yield(); > } > >pthread_join (thread_id, NULL); > } > > void* thread_proc(void *arg) > { > int listensock, sock; > char buffer[25]; > int nread; > > listensock = (int) arg; > > while (1) { > sock = accept(listensock, NULL, NULL); > printf("client connected to child thread %i with pid %i.\n", > pthread_self(), getpid()); > nread = recv(sock, buffer, 25, 0); > buffer[nread] = '\0'; > printf("%s\n", buffer); > send(sock, buffer, nread, 0); > close(sock); > printf("client disconnected from child thread %i with pid %i.\n", > pthread_self(), getpid()); > } > } >
Re: Cannot encrypt text - need help
Don't you know how much data you've read that you're about to decrypt? in your code template, you showed the sendign routine doing... nread = recv(sock, buffer, 25, 0); isn't the recieving routine doing somethign similar? well, nread would be the length you need, no? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot encrypt text - need help
On 5/1/2011 1:34 AM, derleader mail wrote: I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part We mean application protocol. while (1) { sock = accept(listensock, NULL, NULL); printf("client connected to child thread %i with pid %i.\n", pthread_self(), getpid()); nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; printf("%s\n", buffer); send(sock, buffer, nread, 0); close(sock); printf("client disconnected from child thread %i with pid %i.\n", pthread_self(), getpid()); } } This code isn't very helpful. It just reads and writes the very same data. Nothing in this code tells us, for example, how to identify a complete message. You could interpose an encryption protocol that also imposed no such requirements. You would need to work out your own padding though. Blowfish is a block encryption algorithm and cannot encrypt just a single byte. So if you only read one byte, you'd need to pad it before encryption and then you'd need some way to remove the padding on the other end. I would strongly urge you to just use SSL. It is designed for *exactly* this purpose. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Re: Re: Cannot encrypt text - need help
>What protocol are you using? What I mean is application layer protocol. But >since in your example, you're using your own protocol, why not send both >length and data. Example. Then in you receiving end, do recv 4 bytes, get length, and recv until received data equals to length. And decrypt. - re You mean furst to send the encryped string and next the length of the string as value? Example for server: send(sock, encrypted_string, 25, 0); send(sock, encrypted_string_length, 25, 0); For client recv(sock, encrypted_string, 25, 0); recv(sock, encrypted_string_length, 25, 0); On Sun, May 1, 2011 at 4:34 PM, derleader mail derlea...@abv.bg > wrote: The encrypted output is not a NULL terminated string so strlen will not work. >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen (). Is there other solution? Hi, What protocol are you using? If you cannot send the "length" of the encrypted data, then you cannot decrypt it properly. I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part #include #include #include #include #include #include void* thread_proc(void *arg); int main(int argc, char *argv[]) { struct sockaddr_in sAddr; int listensock; int result; int nchildren = 1; pthread_t thread_id; int x; int val; if (argc > 1) { nchildren = atoi(argv[1]); } listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); val = 1; result = setsockopt(listensock, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); if (result < 0) { perror("server5"); return 0; } sAddr.sin_family = AF_INET; sAddr.sin_port = htons(1972); sAddr.sin_addr.s_addr = INADDR_ANY; result = bind(listensock, (struct sockaddr *) &sAddr, sizeof(sAddr)); if (result < 0) { perror("exserver5"); return 0; } result = listen(listensock, 5); if (result < 0) { perror("exserver5"); return 0; } for (x = 0; x < nchildren; x++) { result = pthread_create(&thread_id, NULL, thread_proc, (void *) listensock); if (result != 0) { printf("Could not create thread.\n"); return 0; } sched_yield(); } pthread_join (thread_id, NULL); } void* thread_proc(void *arg) { int listensock, sock; char buffer[25]; int nread; listensock = (int) arg; while (1) { sock = accept(listensock, NULL, NULL); printf("client connected to child thread %i with pid %i.\n", pthread_self(), getpid()); nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; printf("%s\n", buffer); send(sock, buffer, nread, 0); close(sock); printf("client disconnected from child thread %i with pid %i.\n", pthread_self(), getpid()); } }
Re: Re: Re: Cannot encrypt text - need help
Hi, >What protocol are you using? What I mean is application layer protocol. But since in your example, you're using your own protocol, why not send both length and data. Example. <4 byte len field><0..2^32-1 data field> Then in you receiving end, do recv 4 bytes, get length, and recv until received data equals to length. And decrypt. - re On Sun, May 1, 2011 at 4:34 PM, derleader mail wrote: > >> The encrypted output is not a NULL terminated string so strlen will not >> work. >> >> >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, >> (unsigned char *)ciphertext, strlen(ciphertext)); >> >> Use the length output from the encryption part. >> >> Thank you very much for the reply. The problem is that the encryption and >> decryption must be on separate machines. I need a way to take the size of >> the encrypted message using language function like strlen >> (). Is there other solution? >> > Hi, > > What protocol are you using? > If you cannot send the "length" of the encrypted data, then you cannot > decrypt it properly. > > > I'm going to use stream protocol - TCP/IP. Here is the template source code > of the server without the encryption part > > #include > #include > #include > #include > #include > #include > > void* thread_proc(void *arg); > > int main(int argc, char *argv[]) > { > struct sockaddr_in sAddr; > int listensock; > int result; > int nchildren = 1; > pthread_t thread_id; > int x; > int val; > > if (argc > 1) { > nchildren = atoi(argv[1]); > } > > listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); > > val = 1; > result = setsockopt(listensock, SOL_SOCKET, SO_REUSEADDR, &val, > sizeof(val)); > if (result < 0) { > perror("server5"); > return 0; > } > > sAddr.sin_family = AF_INET; > sAddr.sin_port = htons(1972); > sAddr.sin_addr.s_addr = INADDR_ANY; > > result = bind(listensock, (struct sockaddr *) &sAddr, sizeof(sAddr)); > if (result < 0) { > perror("exserver5"); > return 0; > } > > result = listen(listensock, 5); > if (result < 0) { > perror("exserver5"); > return 0; > } > >for (x = 0; x < nchildren; x++) { > result = pthread_create(&thread_id, NULL, thread_proc, (void *) > listensock); > if (result != 0) { > printf("Could not create thread.\n"); > return 0; > } > sched_yield(); > } > >pthread_join (thread_id, NULL); > } > > void* thread_proc(void *arg) > { > int listensock, sock; > char buffer[25]; > int nread; > > listensock = (int) arg; > > while (1) { > sock = accept(listensock, NULL, NULL); > printf("client connected to child thread %i with pid %i.\n", > pthread_self(), getpid()); > nread = recv(sock, buffer, 25, 0); > buffer[nread] = '\0'; > printf("%s\n", buffer); > send(sock, buffer, nread, 0); > close(sock); > printf("client disconnected from child thread %i with pid %i.\n", > pthread_self(), getpid()); > } > } >
Re: Re: Re: Cannot encrypt text - need help
The encrypted output is not a NULL terminated string so strlen will not work. >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen (). Is there other solution? Hi, What protocol are you using? If you cannot send the "length" of the encrypted data, then you cannot decrypt it properly. I'm going to use stream protocol - TCP/IP. Here is the template source code of the server without the encryption part #include #include #include #include #include #include void* thread_proc(void *arg); int main(int argc, char *argv[]) { struct sockaddr_in sAddr; int listensock; int result; int nchildren = 1; pthread_t thread_id; int x; int val; if (argc > 1) { nchildren = atoi(argv[1]); } listensock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); val = 1; result = setsockopt(listensock, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)); if (result < 0) { perror("server5"); return 0; } sAddr.sin_family = AF_INET; sAddr.sin_port = htons(1972); sAddr.sin_addr.s_addr = INADDR_ANY; result = bind(listensock, (struct sockaddr *) &sAddr, sizeof(sAddr)); if (result < 0) { perror("exserver5"); return 0; } result = listen(listensock, 5); if (result < 0) { perror("exserver5"); return 0; } for (x = 0; x < nchildren; x++) { result = pthread_create(&thread_id, NULL, thread_proc, (void *) listensock); if (result != 0) { printf("Could not create thread.\n"); return 0; } sched_yield(); } pthread_join (thread_id, NULL); } void* thread_proc(void *arg) { int listensock, sock; char buffer[25]; int nread; listensock = (int) arg; while (1) { sock = accept(listensock, NULL, NULL); printf("client connected to child thread %i with pid %i.\n", pthread_self(), getpid()); nread = recv(sock, buffer, 25, 0); buffer[nread] = '\0'; printf("%s\n", buffer); send(sock, buffer, nread, 0); close(sock); printf("client disconnected from child thread %i with pid %i.\n", pthread_self(), getpid()); } }
Re: Cannot encrypt text - need help
On 4/30/2011 10:48 AM, derleader mail wrote: Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen(). Is there other solution? Are you designing the protocol that one machine uses to send the encrypted data to the other or has someone else designed that protocol? If that protocol requires that the encrypted data be a string, has the mechanism by which that will be done been determined yet or is it up to you? It sounds like you are trying to implement a mechanism before the mechanism has been decided on. Before you attempt to send even a single byte over a network, it should be decided which bytes will go where and that decision should be reflected in a written specification. This may require an hour or two of pain, but trust me, it will eliminate days of pain. And, as a free bonus, anyone else who needs to interoperate with you can look to that specification to know what to do. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Cannot encrypt text - need help
On Sun, May 1, 2011 at 1:48 AM, derleader mail wrote: > > Hi, > > The encrypted output is not a NULL terminated string so strlen will not > work. > > >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, (unsigned > char *)ciphertext, strlen(ciphertext)); > > Use the length output from the encryption part. > > Thank you very much for the reply. The problem is that the encryption and > decryption must be on separate machines. I need a way to take the size of > the encrypted message using language function like strlen(). Is there > other solution? > Hi, What protocol are you using? If you cannot send the "length" of the encrypted data, then you cannot decrypt it properly. > > Regards > > - re > > On Sun, May 1, 2011 at 12:27 AM, derleader mail wrote: > >> Hi, >>I'm trying to code a C program that can convert very big number of >> characters. The problem is that there is an error in decryption. >> >> This is the code: >> >> //gcc test_Blowfish.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall >> >> #include >> #include >> #include >> #include >> #include >> >> int main(void) { >> >> char plaintext[1024] = "{aaX{aaX57 : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 >> : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 >> : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa"; >> char plaintextz[1024]; >> char ciphertext[1024]= {0,}; >> char mykey[EVP_MAX_KEY_LENGTH] = "blowfish_key"; >> char iv[EVP_MAX_IV_LENGTH] = "blowfish"; >> int tmp_len = 0, in_len, out_len=0; >> EVP_CIPHER_CTX ctx; >> >> //memset(mykey,0,sizeof(mykey)); >> //memset(iv,0,sizeof(iv)); >> >> >> >> printf("No encrypt: %s\n", plaintext); >> printf("No encrypt size: %d\n", strlen(plaintext)); >> >> //Encrypt >> EVP_EncryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned >> char *)iv); >> EVP_EncryptUpdate(&ctx, (unsigned char *)ciphertext, &out_len, >> (unsigned char *)plaintext, strlen(plaintext));//Block through the mem >> to be encrypted >> tmp_len += out_len; >> EVP_EncryptFinal(&ctx, (unsigned char *) &ciphertext[out_len], >> &out_len); //Finish any remaining encryption and throw a pad on >> tmp_len += out_len; >> printf("Encrypted: %s\n", ciphertext); >> printf("Encrypted size: %d\n", tmp_len); >> >> //Reset memory for Decryption >> //memset(plaintext,0,sizeof(plaintext)); >> in_len = tmp_len; >> out_len = tmp_len = 0; >> >> //decrypt >> EVP_DecryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned >> char *)iv); >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, >> (unsigned char *)ciphertext, strlen(ciphertext)); >> tmp_len += out_len; >> EVP_DecryptFinal(&ctx, (unsigned char *)&plaintextz[out_len], >> &out_len); >> tmp_len += out_len; >> >> //Zero out the pad >> memset(&plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); >> >> printf("Decrypted : %s\n", plaintextz); >> printf("Decrypted size: %d\n", tmp_len); >> >> printf("Block Size: %d\n",EVP_CIPHER_CTX_block_size(&ctx)); >> >> return 0; >> } >> >> >> >> This is the output: >> >> [root@localhost test]# ./a.out >> No encrypt: {aaX{aaX57 : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 >> : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 >> : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa >> No encrypt size: 267 >> Encrypted: �A-�� W =?:�$�i �_�8:�F�wo#�5 � @D�mo��-I ���F�Q�J�#��F�0b� >> ;�`� C䦱�~6�)ހ�YG �ed�Ӕ�Z%�9!mdvϋ���\���QB��}�N @_�W�F�e"� >> Encrypted size: 267 >> Decrypted : {aaX{aaX57 : {223 : >> 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 >> : {223 : 2323}}{}{}{}{}{}{3535:4242 >> Decrypted size: 131 >> Block Size: 1 >> >> As youy see the decrypted size number is less that the original. >> Any idea where is the problem? >> >> > >
Re: Cannot encrypt text - need help
On Sat April 30 2011, derleader mail wrote: > > Hi, > The encrypted output is not a NULL terminated string so strlen will not > work. >>> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, > (unsigned char *)ciphertext, strlen(ciphertext)); > > Use the length output from the encryption part. > > Thank you very much for the reply. The problem is that the encryption and > decryption must be on separate machines. I need a way to take the size of the > encrypted message using language function like strlen (). Is there other > solution? Yes, send the encrypted length along with the encrypted message. How that gets done is usually part of the protocol you choose for exchanging encrypted messages. And since you didn't mention any protocol. . . . Mike > > Regards > > - re > > On Sun, May 1, 2011 at 12:27 AM, derleader mail derlea...@abv.bg > wrote: > > Hi, > > > I'm trying to code a C program that can convert very big number of > characters. The problem is that there is an error in decryption. > > This is the code: > > //gcc test_Blowfish.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall > > > #include > #include > > #include > #include > #include > > > > int main(void) { > > > > > > > char plaintext[1024] = "{aaX{aaX57 : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : > {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 > : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa"; > > > > char plaintextz[1024]; > > > > char ciphertext[1024]= {0,}; > > > > char mykey[EVP_MAX_KEY_LENGTH] = "blowfish_key"; > > > > char iv[EVP_MAX_IV_LENGTH] = "blowfish"; > > > > int tmp_len = 0, in_len, out_len=0; > > > > EVP_CIPHER_CTX ctx; > > > > > > //memset(mykey,0,sizeof(mykey)); > > > > //memset(iv,0,sizeof(iv)); > > > > > > > > > > > > > printf("No encrypt: %s\n", plaintext); > > > > > > > printf("No encrypt size: %d\n", strlen(plaintext)); > > > > > > //Encrypt > > > > EVP_EncryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned > char *)iv); > > > > EVP_EncryptUpdate(&ctx, (unsigned char *)ciphertext, &out_len, > (unsigned char *)plaintext, strlen(plaintext)); > > > //Block through the mem to be encrypted > > > > tmp_len += out_len; > > > > EVP_EncryptFinal(&ctx, (unsigned char *) &ciphertext[out_len], > &out_len); //Finish any remaining encryption and throw a pad on > > > > tmp_len += out_len; > > > > printf("Encrypted: %s\n", ciphertext); > > > > printf("Encrypted size: %d\n", tmp_len); > > > > > > //Reset memory for Decryption > // > > > memset(plaintext,0,sizeof(plaintext)); > > > > in_len = tmp_len; > > > > out_len = tmp_len = 0; > > > > > > //decrypt > > > > EVP_DecryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned > char *)iv); > > > > EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, > (unsigned char *)ciphertext, strlen(ciphertext)); > > > > tmp_len += out_len; > > > > EVP_DecryptFinal(&ctx, (unsigned char *)&plaintextz[out_len], > &out_len); > > > > tmp_len += out_len; > > > > > > //Zero out the pad > > > > memset(&plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); > > > > > > printf("Decrypted : %s\n", plaintextz); > > > > printf("Decrypted size: %d\n", tmp_len); > > > > > > printf("Block Size: %d\n",EVP_CIPHER_CTX_block_size(&ctx)); > > > > > > return 0; > } > > > > This is the output: > > [root@localhost test]# ./a.out > No encrypt: {aaX{aaX57 : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : > {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 > : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa > No encrypt size: 267 > Encrypted: �A-�� W =?:�$�i �_�8:�F�wo#�5 � @D�mo��-I ���F�Q�J�#��F�0b� ;�`� > C䦱�~6�)ހ�YG �ed�Ӕ�Z%�9!mdvϋ���\���QB��}�N @_�W�F�e"� > Encrypted size: 267 > Decrypted : {aaX{aaX57 : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : > {223 : 2323}}{}{}{}{}{}{3535:4242 > Decrypted size: 131 > Block Size: 1 > > As youy see the decrypted size number is less that the original. > Any idea where is the problem? > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Cannot encrypt text - need help
Hi, The encrypted output is not a NULL terminated string so strlen will not work. >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. Thank you very much for the reply. The problem is that the encryption and decryption must be on separate machines. I need a way to take the size of the encrypted message using language function like strlen (). Is there other solution? Regards - re On Sun, May 1, 2011 at 12:27 AM, derleader mail derlea...@abv.bg > wrote: Hi, I'm trying to code a C program that can convert very big number of characters. The problem is that there is an error in decryption. This is the code: //gcc test_Blowfish.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall #include #include #include #include #include int main(void) { char plaintext[1024] = "{aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa"; char plaintextz[1024]; char ciphertext[1024]= {0,}; char mykey[EVP_MAX_KEY_LENGTH] = "blowfish_key"; char iv[EVP_MAX_IV_LENGTH] = "blowfish"; int tmp_len = 0, in_len, out_len=0; EVP_CIPHER_CTX ctx; //memset(mykey,0,sizeof(mykey)); //memset(iv,0,sizeof(iv)); printf("No encrypt: %s\n", plaintext); printf("No encrypt size: %d\n", strlen(plaintext)); //Encrypt EVP_EncryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_EncryptUpdate(&ctx, (unsigned char *)ciphertext, &out_len, (unsigned char *)plaintext, strlen(plaintext)); //Block through the mem to be encrypted tmp_len += out_len; EVP_EncryptFinal(&ctx, (unsigned char *) &ciphertext[out_len], &out_len); //Finish any remaining encryption and throw a pad on tmp_len += out_len; printf("Encrypted: %s\n", ciphertext); printf("Encrypted size: %d\n", tmp_len); //Reset memory for Decryption // memset(plaintext,0,sizeof(plaintext)); in_len = tmp_len; out_len = tmp_len = 0; //decrypt EVP_DecryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned char *)iv); EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, (unsigned char *)ciphertext, strlen(ciphertext)); tmp_len += out_len; EVP_DecryptFinal(&ctx, (unsigned char *)&plaintextz[out_len], &out_len); tmp_len += out_len; //Zero out the pad memset(&plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); printf("Decrypted : %s\n", plaintextz); printf("Decrypted size: %d\n", tmp_len); printf("Block Size: %d\n",EVP_CIPHER_CTX_block_size(&ctx)); return 0; } This is the output: [root@localhost test]# ./a.out No encrypt: {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa No encrypt size: 267 Encrypted: �A-�� W =?:�$�i �_�8:�F�wo#�5 � @D�mo��-I ���F�Q�J�#��F�0b� ;�`� C䦱�~6�)ހ�YG �ed�Ӕ�Z%�9!mdvϋ���\���QB��}�N @_�W�F�e"� Encrypted size: 267 Decrypted : {aaX{aaX57 : {223 : 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 : {223 : 2323}}{}{}{}{}{}{3535:4242 Decrypted size: 131 Block Size: 1 As youy see the decrypted size number is less that the original. Any idea where is the problem?
Re: Cannot encrypt text - need help
Hi, The encrypted output is not a NULL terminated string so strlen will not work. >> EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, (unsigned char *)ciphertext, strlen(ciphertext)); Use the length output from the encryption part. - re On Sun, May 1, 2011 at 12:27 AM, derleader mail wrote: > Hi, >I'm trying to code a C program that can convert very big number of > characters. The problem is that there is an error in decryption. > > This is the code: > > //gcc test_Blowfish.c -L/usr/local/ssl/lib/ -lssl -lcrypto -Wall > > #include > #include > #include > #include > #include > > int main(void) { > > char plaintext[1024] = "{aaX{aaX57 : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 > : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 > : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa"; > char plaintextz[1024]; > char ciphertext[1024]= {0,}; > char mykey[EVP_MAX_KEY_LENGTH] = "blowfish_key"; > char iv[EVP_MAX_IV_LENGTH] = "blowfish"; > int tmp_len = 0, in_len, out_len=0; > EVP_CIPHER_CTX ctx; > > //memset(mykey,0,sizeof(mykey)); > //memset(iv,0,sizeof(iv)); > > > > printf("No encrypt: %s\n", plaintext); > printf("No encrypt size: %d\n", strlen(plaintext)); > > //Encrypt > EVP_EncryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned > char *)iv); > EVP_EncryptUpdate(&ctx, (unsigned char *)ciphertext, &out_len, > (unsigned char *)plaintext, strlen(plaintext));//Block through the mem > to be encrypted > tmp_len += out_len; > EVP_EncryptFinal(&ctx, (unsigned char *) &ciphertext[out_len], > &out_len); //Finish any remaining encryption and throw a pad on > tmp_len += out_len; > printf("Encrypted: %s\n", ciphertext); > printf("Encrypted size: %d\n", tmp_len); > > //Reset memory for Decryption > //memset(plaintext,0,sizeof(plaintext)); > in_len = tmp_len; > out_len = tmp_len = 0; > > //decrypt > EVP_DecryptInit(&ctx, EVP_bf_cfb(), (unsigned char *)mykey, (unsigned > char *)iv); > EVP_DecryptUpdate(&ctx, (unsigned char *)plaintextz, &out_len, > (unsigned char *)ciphertext, strlen(ciphertext)); > tmp_len += out_len; > EVP_DecryptFinal(&ctx, (unsigned char *)&plaintextz[out_len], > &out_len); > tmp_len += out_len; > > //Zero out the pad > memset(&plaintext[tmp_len],0,(int)(sizeof(plaintext)) - tmp_len); > > printf("Decrypted : %s\n", plaintextz); > printf("Decrypted size: %d\n", tmp_len); > > printf("Block Size: %d\n",EVP_CIPHER_CTX_block_size(&ctx)); > > return 0; > } > > > > This is the output: > > [root@localhost test]# ./a.out > No encrypt: {aaX{aaX57 : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 > : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa{aaX57 > : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa > No encrypt size: 267 > Encrypted: �A-�� W =?:�$�i �_�8:�F�wo#�5 � @D�mo��-I ���F�Q�J�#��F�0b� ;�`� > C䦱�~6�)ހ�YG �ed�Ӕ�Z%�9!mdvϋ���\���QB��}�N @_�W�F�e"� > Encrypted size: 267 > Decrypted : {aaX{aaX57 : {223 : > 2323}}{}{}{}{}{}{3535:42424}242424242242424243r23r23r23r23r23r23r3r{}pppa57 > : {223 : 2323}}{}{}{}{}{}{3535:4242 > Decrypted size: 131 > Block Size: 1 > > As youy see the decrypted size number is less that the original. > Any idea where is the problem? > >