> From: owner-openssl-us...@openssl.org On Behalf Of Jan Danielsson > Sent: Friday, 17 September, 2010 18:40
> For certain reasons I want to load the OpenSSL libraries > at run-time [and] load a PKCS#12 file ... > The relevant code snippets follows (the code below is just exerts, > and parts where originally taken from apps/apps.c): > (Aside: that word should be "excerpts". "exert[s]" means something else.) <some snipped> > lib = dlopen(fname, RTLD_LAZY); > > dlerror(); > You only need to call dlerror if dlopen/dlsym/dlclose fails, and then you should make use of the return, e.g. print it. > p12 = d2i_pkcs12_fp(fp, NULL); > if(p12 == NULL) [error] > /* See if an empty password will do */ > if(pkcs12_verify_mac(p12, "", 0) || pkcs12_verify_mac(p12, NULL, 0)) [ok] > else ... if(!pkcs12_verify_mac(p12, passwd, len)) [error] > I get the "Mac verify error (wrong password? ..." error. > Anytime you get an error from a libcrypto routine (and usually from a libssl routine as well) you should get the description(s) from the OpenSSL error queue. The simplest way is just print them with ERR_print_errors[_fp], or you can write slightly more code to call ERR_get_error _in a loop until zero_ and format as you like. > My initial guess was that I need to initialize the library in some > manner before I can call functions which perform the verification. A > quick search led me to > http://www.ibm.com/developerworks/linux/library/l-openssl.html, which > stipulates: > You certainly must configure the algorithms used, and should load the errorstrings applicable in case you need to display an error as above. (Although if you don't load errorstrings you can still display the error codes, preferably in hex, and later interpret with 'errstr'.) > ``/* Initializing OpenSSL */ > > SSL_load_error_strings(); > ERR_load_BIO_strings(); > OpenSSL_add_all_algorithms();'' > Whoever wrote that wasn't very careful. SSL_load_error_strings calls ERR_load_crypto_strings which calls all the modules in crypto including BIO; there's no reason to do it and only it separately. For the limited functionality you're using you don't need the SSL strings, and only need some modules from crypto, but it's more trouble than it's worth to select out those parts; just do either ERR_load_crypto_strings or SSL_load_error_strings. > I nm'd my /usr/lib/libcrypto.so, but it doesn't appear to > contain any > entry for OpenSSL_add_all_algorithms. It does however have: > 000000000009be20 T OpenSSL_add_all_ciphers > 000000000009bc90 T OpenSSL_add_all_digests > _add_all_algorithms is a macro for either _add_all_algorithms_conf or _add_all_algorithms_noconf, and you should have both of those. See evp.h. _noconf basically does just _ciphers and _digests (and cpuid_setup, which I believe falls-back to something safe); _conf does several more things notably loading a default config file, which you almost certainly don't need. I suggest you do _noconf. You could individually add only the algorithms needed, but that's far too much trouble, and requires maintenance if new algorithms are adopted in the future as they probably will. > But I'm beginning to feel that I might be chasing the > wrong end here. > Can anyone find an immediate problem with how I'm using the PKCS#12 > functions? > Not other than the above. If you still have a problem after configuring algorithms, check the ERR_ information, and if it doesn't help you, bring it back here. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
