Re: Beginner Question
Thanks everyone. I'm working my way through the Viega,Messie,Chandra book. I did notice that it immediately recommends the other for internals and protocol details. The man pages may make more sense to me once I get through this but it was trying to develop from them alone that convinced me I needed another reference. Ragnar __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Beginner Question
Agreed: Both are excellent and essential. use the man pages in www.openssl.org/docs also. There are many specifics there that you'll need to know eventually. I found I had to dig into the openssl source to work through some nasty problems (not OpenSSL problems, programmer airheadedness), so don't rule that out. Dave Dave McLellan --Consulting Software Engineer - SPEA Engineering EMC Corporation 228 South St. Mail Stop: 228 LL/AA-24 Hopkinton, MA 01748 USA +1-508-249-1257 F: +1-508-497-8030 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Koenning Sent: Tuesday, March 01, 2005 4:28 PM To: openssl-users@openssl.org Subject: Re: Beginner Question Ragnar Paulson wrote: > I'm looking for a pointer to more documentation of how to use the openssl API, I don't really want to read the source or learn the internals. I have found the following two references: > > SSL and TLS: Designing and Building Secure Systems by Eric Rescorla > Network Security with OpenSSL: Cryptography for Secure Communications by John Viega, Matt Messier, and Pravir Chandra > > Which of these should I buy, or is there a more recommened alternative. Both, because the latter book doesn't explain the details of the SSL/TLS protocol, but recommends reading the first book. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Beginner Question
Ragnar Paulson wrote: I'm looking for a pointer to more documentation of how to use the openssl API, I don't really want to read the source or learn the internals. I have found the following two references: SSL and TLS: Designing and Building Secure Systems by Eric Rescorla Network Security with OpenSSL: Cryptography for Secure Communications by John Viega, Matt Messier, and Pravir Chandra Which of these should I buy, or is there a more recommened alternative. Both, because the latter book doesn't explain the details of the SSL/TLS protocol, but recommends reading the first book. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Beginner Question
Ragnar Paulson wrote: [...] I'm looking for a pointer to more documentation of how to use the openssl API, I don't really want to read the source or learn the internals. I have found the following two references: SSL and TLS: Designing and Building Secure Systems by Eric Rescorla Network Security with OpenSSL: Cryptography for Secure Communications by John Viega, Matt Messier, and Pravir Chandra Which of these should I buy, or is there a more recommened alternative. I like to recommend the second one but I do not know the first. From what you write about your knowledge and intentions I think you can find useful information in Viega et al. Have a look at http://www.oreilly.com/catalog/openssl/toc.html to see the table of contents, maybe it helps you to decide. Thanks again, Ragnar Hope it helps, Ted ;) smime.p7s Description: S/MIME Cryptographic Signature
Beginner Question
Hello and thanks in advance for advice. I need to quickly come up to speed using the openssl API. I have the basic administration knowledge, having configured web servers (apache) to use SSL, as well as securing pop and imap with stunnel. Now I need to actually modify an existing proprietary library to use SSL over a socket instead of using the socket directly. I've gone through openssl.org, the man pages, and Eric Rescorla's introduction to SSL programming. I'm within a few hours of finishing the modifications apparent from these sources but still fear I am missing something in the big picture. It's not at all clear how a BIO is used or needs to be used in this context. There will apparently be problems in a multi-threaded environment but the steps to avoid them are unclear. Plus a few other basics. I'm looking for a pointer to more documentation of how to use the openssl API, I don't really want to read the source or learn the internals. I have found the following two references: SSL and TLS: Designing and Building Secure Systems by Eric Rescorla Network Security with OpenSSL: Cryptography for Secure Communications by John Viega, Matt Messier, and Pravir Chandra Which of these should I buy, or is there a more recommened alternative. Thanks again, Ragnar Ragnar Paulson [EMAIL PROTECTED] The Software Group Limited 705 725 x21 1.618033989 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: beginner question.
On Mon, 17 Sep 2001, Dr S N Henson wrote:
>
>
> [EMAIL PROTECTED] wrote:
> >
> > Hello,
> >
> > I got a problem related to EVP primitives, and i can't find where the
> > problem is.
> >
> > in the docs, it says :
> > "..EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the
> > corresponding decryption operations. EVP_DecryptFinal() will return an
> > error code if padding is enabled and the final block is not correctly
> > formatted. ..."
> >
> > I don't understand "the final block is not correctly formatted", what is
> > the format ?! or what are the wrong format which make this function to fail ?.
> > (excepted null)
> >
>
> The output of EVP_EncryptFinal() uses the correct format. Its
> effectively saying that the only place it will notice something wrong
> (due to the wrong key, corrupted data etc) is in the final block and
> then not always.
>
Ok the thing is i'm armoring the crypted datas, to use for display
using base[64|128] encoding.
Here are the functions i told you about :
...
#define ALGO EVP_bf_cbc()
...
char *crypt(char *str, unsigned char *key)
{
unsigned char outbuf[1024];
unsigned char iv[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
int outlen, tmplen;
EVP_CIPHER_CTX ctx;
EVP_EncryptInit(&ctx, ALGO, key, iv);
EVP_EncryptUpdate(&ctx, outbuf, &outlen, str, strlen(str));
EVP_EncryptFinal(&ctx, outbuf + outlen, &tmplen);
outlen += tmplen;
EVP_CIPHER_CTX_cleanup(&ctx);
return base128_encode(outbuf, outlen);
}
int decrypt(char *dest, char *str, char *key)
{
unsigned char iv[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
int outlen, tmplen, b128_len;
char *b128;
EVP_CIPHER_CTX ctx;
b128 = base128_decode(str, &b128_len);
EVP_DecryptInit(&ctx, ALGO, key, iv);
if(!EVP_DecryptUpdate(&ctx, dest, &outlen, b128, b128_len))
{
perror("EVP error");
return 0;
}
if(!EVP_DecryptFinal(&ctx, dest + outlen, &tmplen))
{
perror("EVP_errors");
return 0;
}
EVP_CIPHER_CTX_cleanup(&ctx);
return 1;
}
when i define ALGO as EVP_enc_null() it works fine, no encryption
just base128 encoded.
If i switch back to EVP_bf_cbc(), it just fails on the decryption routine
and return nothing..(null) string.
base128_[encode|decode] does the allocation & return ptr to the encoded
string.
i might have done a stupid error, but obviously i can't see it :)
thanks for feedback.
> > I've just coded 2 functions,
> >
> > char *crypt(char *str, char *key) (which works fine)
> > int decrypt(char *dest, char *str, char *key)
> >
> > using EVP primitives, i've done the test by using EVP_enc_null()
> > as encryption/decryption algorithm, which mean that my text was only
> > base128 armored, and it was working fine, but as long as i put a real
> > algorithm like EVP_bf_cbc or EVP_bf_cfb (blowfish is the one i want)
> > it just fails, the length returned by both EVP_DecryptUpdate and Final
> > is 0, but the input is non null.
> >
> > any ideas ?!
> >
>
> Impossible to do anything other than guess without seeing your code.
> However a common mistake is to assume that functions like strlen() can
> be used on the output of EVP_Encrypt*(). They can't because the result
> is not null terminated ASCII data, its binary and can contain embedded
> nulls.
I did this error and corrected already using what the EVP primitives
returns me for memcpy|strncpy.
the code is above.
Thanks.
>
> Steve.
-rival.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: beginner question.
[EMAIL PROTECTED] wrote: > > Hello, > > I got a problem related to EVP primitives, and i can't find where the > problem is. > > in the docs, it says : > "..EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the > corresponding decryption operations. EVP_DecryptFinal() will return an > error code if padding is enabled and the final block is not correctly > formatted. ..." > > I don't understand "the final block is not correctly formatted", what is > the format ?! or what are the wrong format which make this function to fail ?. > (excepted null) > The output of EVP_EncryptFinal() uses the correct format. Its effectively saying that the only place it will notice something wrong (due to the wrong key, corrupted data etc) is in the final block and then not always. > I've just coded 2 functions, > > char *crypt(char *str, char *key) (which works fine) > int decrypt(char *dest, char *str, char *key) > > using EVP primitives, i've done the test by using EVP_enc_null() > as encryption/decryption algorithm, which mean that my text was only > base128 armored, and it was working fine, but as long as i put a real > algorithm like EVP_bf_cbc or EVP_bf_cfb (blowfish is the one i want) > it just fails, the length returned by both EVP_DecryptUpdate and Final > is 0, but the input is non null. > > any ideas ?! > Impossible to do anything other than guess without seeing your code. However a common mistake is to assume that functions like strlen() can be used on the output of EVP_Encrypt*(). They can't because the result is not null terminated ASCII data, its binary and can contain embedded nulls. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
beginner question.
Hello, I got a problem related to EVP primitives, and i can't find where the problem is. in the docs, it says : "..EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the corresponding decryption operations. EVP_DecryptFinal() will return an error code if padding is enabled and the final block is not correctly formatted. ..." I don't understand "the final block is not correctly formatted", what is the format ?! or what are the wrong format which make this function to fail ?. (excepted null) I've just coded 2 functions, char *crypt(char *str, char *key) (which works fine) int decrypt(char *dest, char *str, char *key) using EVP primitives, i've done the test by using EVP_enc_null() as encryption/decryption algorithm, which mean that my text was only base128 armored, and it was working fine, but as long as i put a real algorithm like EVP_bf_cbc or EVP_bf_cfb (blowfish is the one i want) it just fails, the length returned by both EVP_DecryptUpdate and Final is 0, but the input is non null. any ideas ?! thanks. -rival. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
beginner question
Hello, I have a question for which I can't find the response. Is open SSL executed in Apache process, or is it running in a separate process (such as a servlet engine for example) ? Thanks, Xavier Marjou
Beginner question: OpenSSL +Certisign +Apache - HELP!!
Hi, Is there any cookbook available with informations about how to use OpenSSL +Apache to validate Certisign client certificates? I can successfully install a server certificate but, I'm no having many success when trying to validade the client certificates. --- Perry Werneck ICQ #27241234 Visite-me em http://www.os2brasil.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Beginner Question: How do I create a certificate?
Hi All, I have just started using OpenCA yesterday and so far I have been unable to create a certificate. I am trying to create a certificate for a IIS server although I am running OpenCA on a Linux workstation. Is this possible? I thought my machine had a lot of trash in it so I have reinstalled Linux and am currently in the process of reinstalling OpenCA. Could someone give me some basic steps to create a certificate? Thanks in advance, Bernardo Santos Wernesback [EMAIL PROTECTED] Gazeta ZAZ - Brazil __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
