gmane.comp.encryption.cryptlib

Re: cryptPopData() returns error -16 with TLS

Peter Gutmann — 2012-03-23T13:44:09


Can you create a debug build and tell me where in the code the exception is
thrown and what any relevant data values are?  Alternatively, is the server
publicly accessible so I can try and connect to it?

Peter.


_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

cryptPopData() returns error -16 with TLS

Tamim — 2012-03-22T14:22:52

Hello,

I'm trying to establish a TLS session using the current version of cryptlib
under MSVS C++ Express 2010/Windows 7 as a client against a server application
which is TLS-enabled via stunnel! Sending messages using cryptPushData() seam to
work fine (according to the log entries of the server application) but
cryptPopData() returns -16 (CRYPT_INTERNAL_ERROR). The values of the attributes
CRYPT_ATTRIBUTE_ERRORTYPE and CRYPT_ATTRIBUTE_ERRORLOCUS after the error has
occured are 0. An attempt to get the value of the attribute
CRYPT_ATTRIBUTE_ERRORMESSAGE returns with the error code -43.

Here is the code:

CRYPT_SESSION cryptSession;
status = cryptInit();

if ( status == CRYPT_OK ) {

  /* Create the session */
  status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, CRYPT_SESSION_SSL );
}

if ( status == CRYPT_OK ) {
  /* Add server name */
  int len = strlen(serverName);
  status = cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_SERVER_NAME,
serverName, len );
}

if ( status == CRYPT_OK ) {
  /* Add server port */
  status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_SERVER_PORT,
serverPort );
}

if ( status == CRYPT_OK ) {
  /* Activate session */
  status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, 1 );
}

if ( status == CRYPT_OK ) {
  /* Exchange data with the server */
  int bytesCopied = 0;

  int bufferSize = 256;
  char* buffer = new char[bufferSize + 1];

  /* Discard initial response */
  status = cryptPopData( cryptSession, buffer, bufferSize, &bytesCopied );
  if ( status == CRYPT_OK ) {
    printf("\nGot data: %s", buffer);
  }
...

What am I doing wrong? Any help would be very much appreciated.

Tamim


_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: SSH question

Mathias Spoerr — 2012-03-05T08:32:21

Hi Peter,

thank you very much for your answer. I think I will see if I find some other
way...

Thanks,
Mathias

-----Ursprüngliche Nachricht-----
Von: Peter Gutmann [mailto:pgut001< at >cs.auckland.ac.nz] 
Gesendet: Montag, 05. März 2012 07:25
An: cryptlib< at >mbsks.franken.de; mathias< at >spoerr.org
Betreff: Re: [Cryptlib] SSH question

Mathias Spoerr <mathias< at >spoerr.org> writes:


No, there's no easy way to get to it since there's all sorts of optional
info that the other side can send in various place (e.g. in so-called pam
auth messages), if you wanted to extract custom data you'd have to change
the code in session/ssh2_authc.c to pick out the bits you're interested in
(see the code and code comments for how incredibly complex this can get).

Peter.


_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: SSH question

Peter Gutmann — 2012-03-05T06:24:53


No, there's no easy way to get to it since there's all sorts of optional info
that the other side can send in various place (e.g. in so-called pam auth
messages), if you wanted to extract custom data you'd have to change the code
in session/ssh2_authc.c to pick out the bits you're interested in (see the
code and code comments for how incredibly complex this can get).

Peter.


_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

SSH question

Mathias Spoerr — 2012-03-04T19:15:15

Hello,

 

is it somehow possible to read the pre-Authenticaion prompt when using SSH?
-> A device sends some data before authentication and I would need this
string for further analysis. 

At the moment I only get the receive data after authentication.

 

Thanks,

Mathias

 

 

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: Problem reading b64 encoded certificate

Smith, Roland — 2012-02-10T13:13:42

Peter,

The change you made fixed the problem! I had to make a couple small changes to my program and now it works great.

If you can send me the final build that would be great.

Thanks,
Roland

-----Original Message-----
From: cryptlib-bounces< at >mbsks.franken.de [mailto:cryptlib-bounces< at >mbsks.franken.de] On Behalf Of Peter Gutmann
Sent: Friday, February 10, 2012 5:54 AM
To: cryptlib< at >mbsks.franken.de; geir.eidissen< at >medilink.com
Subject: Re: [Cryptlib] Problem reading b64 encoded certificate

=?iso-8859-1?Q?Geir_St=E5le_Eidissen?= <geir.eidissen< at >medilink.com> writes:


Having seen the files, the bigger problem is that this data is supposed to be
in PEM base64 format but there are no line breaks in it, it's just one
continuous text string so neither of the two are valid.  It's actually just
coincidence that cryptlib decodes the first one (with the padding), since the
code is shared with generic base64-decoding code for databases that don't
handle binary data.

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: Problem reading b64 encoded certificate

Peter Gutmann — 2012-02-10T10:54:14


Having seen the files, the bigger problem is that this data is supposed to be
in PEM base64 format but there are no line breaks in it, it's just one
continuous text string so neither of the two are valid.  It's actually just
coincidence that cryptlib decodes the first one (with the padding), since the
code is shared with generic base64-decoding code for databases that don't
handle binary data.

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: Error Sending TLS SMTP email to servers that are not GMail

Topwiz — 2012-02-03T13:55:44

I discovered I should send STARTTLS after EHLO and get this response:

220 2.0.0 SMTP server ready

But the the cryptlib session activate gives the same error.


Topwiz wrote:

Re: Error Sending TLS SMTP email to servers that are not GMail

Topwiz — 2012-02-03T13:40:00

I changed my prorgam to connect to the mail server the normal Winsock way,
send EHLO and get the response:

250-xc38.mail.ovh.net Hello [216.66.99.194]
250-SIZE 104857600
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING

Then I have the following cryptlib code:

// Cryptlib constants
Constant Long CRYPT_OK                                     =  0
Constant Long CRYPT_UNUSED                              = -101
Constant Long CRYPT_SESSION_SSL                      = 3
Constant Long CRYPT_SESSINFO_ACTIVE                = 6001
Constant Long CRYPT_SESSINFO_NETWORKSOCKET  = 6014

// Initialize the Library
ll_RetVal = cryptInit()

// Create the session
ll_RetVal = cryptCreateSession(il_Session, CRYPT_UNUSED, CRYPT_SESSION_SSL)

// Set the socket
ll_RetVal = cryptSetAttribute(il_Session, CRYPT_SESSINFO_NETWORKSOCKET,
iul_socket) 

// Activate the session
ll_RetVal = cryptSetAttribute(il_Session, CRYPT_SESSINFO_ACTIVE, 1) 

The return from this call is:  -16 Internal consistency check failed

Re: cryptGetAttribute - what to use for cryptObjectparameter to get error information

Peter Gutmann — 2012-02-03T05:13:32


Can you send me a copy of the cert, preferably zipped in order to preserve any
formatting irregularities that mailers might mangle?

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Problem reading b64 encoded certificate

Geir Ståle Eidissen — 2012-02-02T12:52:26

I have narrowed it down to that it is the base64 decoding that reports CRYPT_ERROR_BADDATA when a certificate is base64encoded without linefeeds and there is no b64padding. 

 

IF the encoded certificate has b64 padding ( = or == at the end) it works fine:

 

-----BEGIN CERTIFICATE-----

MIIE [...]lxsaxft0Q==

-----END CERTIFICATE-----

 

When decoding this certificate, the last call to decodeBase64chunk results in outByteCount being 1 or 2 depending on the padding, so it returns OK_SPECIAL that tells base64decode() that end of data is reached. Note that there are no linefeeds in the base64encoded data.

 

But if there is no padding, the base64decode() function fails.

 

----- BEGIN CERTIFICATE -----

[...] p1TB3zKyHB1avxusOpgVxDM

-----END CERTIFICATE-----

 

Because in the last call to decodeBase64chunk() the outByteCount = 3, so base64decode continues to read and trigs the check in base64.c line 749 that allows only lines of 127 bytes or less. 

 

This was no problem in cryptlib 3.2, and the certificate is OK.

Is this something that can be corrected? 

 

--

Geir S. Eidissen

 

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

cryptGetAttribute - what to use for cryptObjectparameter to get error information

Geir Ståle Eidissen — 2012-02-02T09:19:33

A call to cryptImportCert fails ( CRYPT_ERROR_BADDATA -32) and I want to get more information using CRYPT_ATTRIBUTE_ERRORLOCUS ect. 

 

The problem is that I have no valid object for cryptGetAttribute so the calls to get errorlocus, errortype and errormessage fails, returning -1 (CRYPT_ERROR_PARAM1. )

I have tried using CRYPT_UNUSED as the object, but that fails too. 

 

How can I find what's wrong with the certificate I try to import (pem-format, base64 encoded wrapped in ----- BEGIN CERTIFICATE-----,----- END CERTIFICATE----- ) .

 

Using Cryptlib 3.4.1

 

--

Geir S. Eidissen

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: Error Sending TLS SMTP email to servers that are notGMail

Peter Gutmann — 2012-02-01T16:48:21


That looks like an ASCII character, are you sure you're connecting on an SSL
port?

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

x

Florian Weimer — 2012-02-01T10:05:44

Re: Error Sending TLS SMTP email to servers that are not GMail

Topwiz — 2012-02-01T03:28:41

Here is the extended error message:

Unexpected <Unknown type> (50) packet, expected handshake (22)

Re: Error Sending TLS SMTP email to servers that are notGMail

Peter Gutmann — 2012-01-31T23:00:46


Hmm, this is odd, CRYPT_ATTRIBUTE_ERRORMESSAGE should always be a valid
attribute for sessions (and envelopes, and keysets, and ...).

Oh, you've set it yourself.  CRYPT_ATTRIBUTE_ERRORMESSAGE is 12, not 13 (you
can see the numeric values by looking at cryptlib.pas).

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Re: Error Sending TLS SMTP email to servers that are not GMail

Topwiz — 2012-01-31T20:11:37

I added the following code. cryptGetAttributeString returns -2 and sets
ll_Strlen to -1. Do I not have the correct value for
CRYPT_ATTRIBUTE_ERRORMESSAGE?


Constant Long CRYPT_ATTRIBUTE_ERRORMESSAGE = 13
String ls_Return, ls_Extended
Long ll_RetVal, ll_Strlen

ll_Strlen = 255
ls_Extended = Space(ll_Strlen)

ll_RetVal = cryptGetAttributeString(il_Session, &
CRYPT_ATTRIBUTE_ERRORMESSAGE, ls_Extended, ll_Strlen)

Re: Error Sending TLS SMTP email to servers that are notGMail

Peter Gutmann — 2012-01-31T09:24:59


What's the extended error information, i.e. the value of
CRYPT_ATTRIBUTE_ERRORMESSAGE?

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

Error Sending TLS SMTP email to servers that are not GMail

Topwiz — 2012-01-31T01:18:31

My program is written in PowerBuilder and uses the latest copy of cl32.dll to
send email. It works perfectly with GMail but when used with other servers
that require TLS it fails. PowerBuilder is very similar to VB6 in how it
calls .dll functions so I went by the example for that.

The error is returned from the call to activate the session. The error is
-32 "Bad/unrecognised data format".

Here is the code, minus the error handling:

ll_RetVal = cryptInit()
ll_RetVal = cryptCreateSession(ll_Session, CRYPT_UNUSED, CRYPT_SESSION_SSL)
ll_RetVal = cryptSetAttributeString(ll_Session, CRYPT_SESSINFO_SERVER_NAME,
ls_server, Len(ls_server))
ll_RetVal = cryptSetAttribute(ll_Session, CRYPT_SESSINFO_SERVER_PORT,
lui_port)
ll_RetVal = cryptSetAttribute(ll_Session, CRYPT_SESSINFO_ACTIVE, 1)

The variables that start with ll_ are Long, ls_ are String and lui_ are
UnsignedInteger. Long is a signed 4 byte number and UnsignedInteger is a
unsigned 2 byte number.

Thanks in advance,
Roland

Re: MySQL + ODBC Seg Fault

Peter Gutmann — 2012-01-16T11:13:24


This sounds like a bug in the MyODBC driver and/or MySQL if it's happening
inside libmysqlclient, so you'd have to file a bug report against them.
cryptlib checks for the presence of MySQL in keyset/odbc.c in order to work
around some existing MySQL/MyODBC bugs, but this is one that no-one's
encountered before.

Peter.

_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.

MySQL + ODBC Seg Fault

Graham Fenner — 2012-01-14T08:33:52

hello there i hope that you can help me.

I am using cryptlib with mysql and myodbc
 driver on linux.  I make a simple

certificate as described in the manual, 
I then open a ODBC database using

KeySetOpen .... i checked return errors 
and they are not returning bad , its

just that when i call 
AddPublicKey(keyset,cryptCertificate).

This is a high level function and it 
will connect to the database. Okay the

OPTION which is set on KeySetOpen is 
NONE because i want it to write.  Well,

when i call AddPublicKey i get a 
segmentation fault.  I used gdb to debug the

problem, it seems that mysqlclient is 
calling Escape function. Like so :

escape_string_for_mysql () from 
/usr/lib/libmysqlclient_r.so.16

This is where dbg found the segmentation
 fault signal.

I hope you can help me, i even recompiled
 the crypt source to try and figure

what is happening at a lower level.  I 
found that when odbc.c is calling

sqlStatus = SQLExecDirect( hStmt, query, 
queryLength ); that the fault happens.

I logged the parameters passed to that, 
like so :

backendType = 3
Bound Data = 
Bound Data State = 0
query Length = 70
command Length = 70
SQL_QUERY_BUFSIZE = 320
command = INSERT INTO certificates 
VALUES (?, ?, ?, ?, ?, ?, ?,?, ?, ?, ?, ?, ?)
query = INSERT INTO certificates VALUES 
(?, ?, ?, ?, ?, ?, ?,?, ?, ?, ?, ?, ?)

maybe ignore Bound Data , i used %s in printf
 lol so it searches for null character.

Would be interested to hear what i am doing wrong, cheers.


_______________________________________________
Cryptlib mailing list
Cryptlib< at >mbsks.franken.deAdministration via Mail: cryptlib-request< at >mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messages.