[xmlsec] xmlSecDSigCtxVerify fails
Aleksey Sanin
aleksey at aleksey.com
Wed Feb 3 08:37:41 PST 2010
IMHO, you have data corruption somewhere in your program. The fact
that you can't reproduce the problem with xmlsec command line tool
indicates to me that this is somewhere in your code.
Did you try valgrind?
Aleksey
On 2/2/2010 11:34 PM, mahendra N wrote:
> Hi Aleksey,
> Still I am not able to reproduce the error on command
> line. I have done some further analysis on the topic.
>
> I was looking through the xmlsec-1.2.12 code,
> We verify the signature using /xmlSecDSigCtxVerify/ function in xmldsig.c
>
> There is a very strange behavior observed, /xmlSecDSigCtxVerify
> /returns/ xmlSecDSigStatusInvalid / when an XML file is tampered. the
> function works perfectly fine , but some how the value of status is
> always /xmlSecDSigStatusSucceeded /when it returns from
> /xmlSecDSigCtxVerify /
> I put some print statements in the xmlsec code in /xmlSecDSigCtxVerify
> /function.
> the function returns dSigCtx->status = /xmlSecDSigStatusInvalid but the
> it is always /
> /dSigCtx->status = /xmlSecDSigStatusSucceeded /when we try to print the
> value of /dSigCtx->status after return from
> x/mlSecDSigCtxVerify/ function. even when I modified the code and set
> /dSigCtx->status = /xmlSecDSigStatusUnknown /, the value of
> /dSigCtx->status was //xmlSecDSigStatusSucceeded after return form ////
> /xmlSecDSigCtxVerify /function.//////////
> //
> //
> //Some how the value of /dSigCtx->status is being set to
> //xmlSecDSigStatusSucceeded /always.Any help would be greatly
> appreciated.////
> ////
> ////
> ////Thanks in advance,////
> ////Mahendra Naik////
>
>
> 2010/2/1 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
> The symbol lookup problem is again related to multiple version of
> xmlsec library.
>
> This makes me suspicious that the second problem is also caused by
> mismatch of between headers and actual loaded .so library.
>
> One more idea - try to compile xmlsec as static library w/o
> dynamic loading for crypto library.
>
> Aleksey
>
>
> On 2/1/2010 4:11 AM, mahendra N wrote:
>
> Hi aleksey,
> Yes, there were multiple versions of library on my
> system. I have resolved the issue now. Now i get the following error
>
> xmlsec1: symbol lookup error: /usr/lib64/libxmlsec1.so.1: undefined
> symbol: xmlSecNameAESKeyValue
>
> And one more observation:
> when i try to access the following value
> dsigCtx->signMethod->status ; i get a segmentation fault on
> windriver
> linux(mips). but it works fine on red hat linux(x86).
> Regards,
> Mahendra Naik
>
> 2010/1/29 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
>
>
> You have multiple versions of the library on your system.
> Incorrect LD_LIBRARY_PATH?
>
> Aleksey
>
>
> On 1/29/2010 1:24 AM, mahendra N wrote:
>
> Hi Aleksey,
> when i try to reproduce the error , i
> get the
> following error
>
> func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
> library function failed:mode=abi compatible;expected minor
> version=2;real minor version=2;expected subminor
> version=12;real
> subminor version=11
>
> Error: loaded xmlsec library version is not compatible.
> Error: initialization failed
>
>
> Thanks and Regards,
> Mahendra Naik
> 2010/1/29 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>
>
> Can you reproduce the problem with xmlsec command
> line utility?
> Unfortunately, I don't have mips around and I can't
> debug
> this. It
> smells like some compilation issue either in xmlsec
> or openssl.
> Try to compile openssl from C code, don't use
> assembler. And
> also
> try to disable all the optimizations in the openssl
> and gcc.
>
> Aleksey
>
>
>
> On 1/28/2010 8:32 PM, mahendra N wrote:
>
> we are using xmlsec 1.2.12 to check whether a
> license
> file is
> tampered.
> Were are tesing it on x86, SPARC and mips.
> xmlSecDSigCtxVerify
> function
> is used to check whether the signature is valid
> or not.
> on x86 and
> SPARC i get the logs as :
>
> xmlSecOpenSSLEvpDigestVerify: XmlSec
> Error data and
> digest do
> not match (12)
>
> xmlSecDSigCtxPtr->status = xmlSecDSigStatusInvalid;
>
> but in case of mips the logs are;
>
> xmlSecOpenSSLEvpDigestVerify: XmlSec
> Error data and
> digest do
> not match (12)
>
> xmlSecDSigCtxPtr->status =
> xmlSecDSigStatusSucceeded;
>
> so tampering of license is undetected on mips.
>
>
> 2010/1/28 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>
>
>
> Sorry, I don't understand. Can you provide
> an example?
>
> Aleksey
>
>
> On 1/28/2010 3:45 AM, mahendra N wrote:
>
> Hi,
> We are using
> xmlSecDSigCtxVerify API to
> check
> whether a
> license
> file is tampered. . The license file is
> in w3
> XML format.
> Shouldn the
> status element of xmlSecDSigCtxPtr structure
> capture the
> error
> if the
> license file is tampered. but ,its
> happening,
> but the
> error is
> caught by
> signKey element on x86, but the signKey
> accesses
> a wrong
> pointer in
> mips. how should we go about the issue..
> Thanks and Reagrds,
> Mahendra Naik
>
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
>
More information about the xmlsec
mailing list