On Mon, Apr 25, 2005, Sean Covel wrote: > Now that I've updated to the latest OpenSSL (7g) I've got a question: > > I implemented some RC4 functionality using the low-level rc4 functions.( > RC4_Set_Key, RC4), and its working fine. > > The OpenSSL documentation recommends using the EVP_* functions instead > of the lower level functions. It seems like it might give easy access > to additional functionality, so I'm converting. > > Here's the problem. When I switched the code from RC4 to EVP, the > program broke, in a big way. The project freezes and I have to either > logout or shutdown in order to get Visual Studio 6 to die. If I'm > REALLY patient (and I'm not) I can eventually get Task Manager to come > up, and then click on msdev.exe (and then wait.....) and then click on > end-process (and wait) and then click on OK (and wait....). You get the > idea. > > A brief explanation of what the code is doing. The code is a plugin for > another program. The program initializes the plugin, passes it a > password, and then starts handing it chunks of text to encrypt. The > program has a socket open to another identical program, doing the same > thing "on the other side." Kinda like a chat program. The encrypt key > is for sending, the decrypt key is for receiving. All the plugin knows > is the key, the input/output buffer, and the length of the chunk. > > I have the RC4 code and the EVP code both in there. They are controlled > by a #define. > > Here are the relevant chunks for code. I'm trying to give enough code > without over-burdening you. If you need more, let me know. > [snip]
Here's one problem: > EVP_CIPHER_CTX_set_key_length(&Dctx, 128); the length parameter is in bytes not bits. Additionally you seem to be using an unsalted key derivation algorithm with a stream cipher (RC4). If passwords are reused then I hope you aren't sending anything sensitive that way because that is an insecure combination. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
