AES cipher

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

AES cipher

Chris Clark
I'm trying to allow my program to be configurable for either AES 128
bit, or AES 256 bit. The problem is that when I select only the
AES128-SHA cipher, the other AES ciphers (including 256 bit) get added
automaticlly.

Is this a limitation of selecting AES, or am I doing something wrong?
Here is my code:

1. Set cyphers:

CString Shif = "AES128-SHA";

Shif+="!IDEA:!ADH:";
SSL_CTX_set_cipher_list(m_ctx, Shif.GetBuffer());
SSL_CTX_set_options(SSL_OP_NO_SSLv2);

2. Display chypers:

SSL* lSSL = SSL_new(lCTX);

int ccnt=0;
const char *res=(char*)1;
for (int i=0;res!=NULL;i++)
{
    res = SSL_get_cipher_list(lSSL, i);
    if (res)
    {
       m_List.AddString((char*)res);
       ccnt++;
    }
}


-Chris Clark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Lutz Jaenicke-2
On Mon, Feb 13, 2006 at 12:34:42PM -0800, Chris Clark wrote:

> I'm trying to allow my program to be configurable for either AES 128
> bit, or AES 256 bit. The problem is that when I select only the
> AES128-SHA cipher, the other AES ciphers (including 256 bit) get added
> automaticlly.
>
> Is this a limitation of selecting AES, or am I doing something wrong?
> Here is my code:
>
> 1. Set cyphers:
>
> CString Shif = "AES128-SHA";
>
> Shif+="!IDEA:!ADH:";

You probably have to add some ":" here. With the explicit selection of
AES128-SHA you do not have to remove the other ciphers anyway.

> SSL_CTX_set_cipher_list(m_ctx, Shif.GetBuffer());
> SSL_CTX_set_options(SSL_OP_NO_SSLv2);
>
> 2. Display chypers:
>
> SSL* lSSL = SSL_new(lCTX);
>
> int ccnt=0;
> const char *res=(char*)1;
> for (int i=0;res!=NULL;i++)
> {
>     res = SSL_get_cipher_list(lSSL, i);
>     if (res)
>     {
>        m_List.AddString((char*)res);
>        ccnt++;
>     }
> }

The openssl command line tool seems to handle problem well...
lutzpc 30: openssl ciphers -v AES128-SHA
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

Best regards,
        Lutz
--
Lutz Jaenicke                             [hidden email]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Chris Clark
I tried adding ":" as suggested, but this still did not work. :(
Does anyone have other suggestions?

-Chris

> > I'm trying to allow my program to be configurable for either AES 128
> > bit, or AES 256 bit. The problem is that when I select only the
> > AES128-SHA cipher, the AES256-SHA cipher gets added
> > automaticlly.
> >
> > Is this a limitation of selecting AES, or am I doing something wrong?
> > Here is my code:
> >
> > 1. Set cyphers:
> >
> > CString Shif = "AES128-SHA";
> >
> > Shif+="!IDEA:!ADH:";
>
> You probably have to add some ":" here. With the explicit selection of
> AES128-SHA you do not have to remove the other ciphers anyway.
>
> > SSL_CTX_set_cipher_list(m_ctx, Shif.GetBuffer());
> > SSL_CTX_set_options(SSL_OP_NO_SSLv2);
> >
> > 2. Display chypers:
> >
> > SSL* lSSL = SSL_new(lCTX);
> >
> > int ccnt=0;
> > const char *res=(char*)1;
> > for (int i=0;res!=NULL;i++)
> > {
> >     res = SSL_get_cipher_list(lSSL, i);
> >     if (res)
> >     {
> >        m_List.AddString((char*)res);
> >        ccnt++;
> >     }
> > }
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Kyle Hamilton
Yeah.  Any cipher that is not explicitly added is denied.  So, try just doing:

CString Shif = "AES128-SHA";

// C++ automatic type conversion converts Shif appropriately to LPSTR
SSL_CTX_set_cipher_list(m_ctx, Shif);
/* SSL_CTX_set_options(SSL_OP_NO_SSLv2); */
/* Since AES128 isn't an SSLv2 cipher it doesn't matter */

I'd also point out that if you do use a CString::GetBuffer, you need
to specify how many characters longer you need the buffer as the
parameter to GetBuffer(), else you'll end up with a buffer overrun.

Cheers,

-Kyle H

On 2/16/06, Chris Clark <[hidden email]> wrote:
> I tried adding ":" as suggested, but this still did not work. :(
> Does anyone have other suggestions?
>
> -Chris
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Chris Clark
On 2/16/06, Kyle Hamilton wrote:
> Yeah.  Any cipher that is not explicitly added is denied.  So, try just doing:
>
> CString Shif = "AES128-SHA";

When I just use this string, it automaticly adds "AES256-SHA" as well.
This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this?

-Chris
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Dr. Stephen Henson
On Fri, Feb 17, 2006, Chris Clark wrote:

> On 2/16/06, Kyle Hamilton wrote:
> > Yeah.  Any cipher that is not explicitly added is denied.  So, try just doing:
> >
> > CString Shif = "AES128-SHA";
>
> When I just use this string, it automaticly adds "AES256-SHA" as well.
> This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this?
>

Yes I can confirm that. The "ciphers" command does the same.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Chris Clark
> > > CString Shif = "AES128-SHA";
> >
> > When I just use this string, it automaticly adds "AES256-SHA" as well.
> > This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this?
> >
>
> Yes I can confirm that. The "ciphers" command does the same.

Thanks Steve. Do you know if this has been fixed in the development version?
If so, which source file would I need to look at?

-Chris
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AES cipher

Dr. Stephen Henson
On Fri, Feb 17, 2006, Chris Clark wrote:

> > > > CString Shif = "AES128-SHA";
> > >
> > > When I just use this string, it automaticly adds "AES256-SHA" as well.
> > > This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this?
> > >
> >
> > Yes I can confirm that. The "ciphers" command does the same.
>
> Thanks Steve. Do you know if this has been fixed in the development version?
> If so, which source file would I need to look at?
>

No its is still a problem with the development version of 0.9.8. I'll see if I
can find time to look into it. someone else should feel free to jump in if
they want to...

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]