Re: [openssl-dev] Bug reports and patches for OpenSSL

[yuchi tian]

Thank you for pointing out. That is not what I expect, but very important
point for fix.

Sincerely,
Yuchi Tian

On Mon, Feb 6, 2017 at 4:59 PM, Lars Nordin  wrote:

> On 2017-02-05 07:54, yuchi tian wrote:
>
> Dear OpenSSL developers,
>
> We are software engineering researchers at University of Virginia. As part
> of a research project, we have built a tool for automatically finding and
> fixing error handling bugs and are testing it on
> various cryptographic libraries and applications that use them.
>
> In the most recent version of OpenSSL, we discovered various instances
> where there may be memory leak on error path, potential error propagation
> or missing check of function call. And we also give a patch for each
> potential bug.
>
> Please let us know how you intend to address these issues.
>
> 1:
> https://github.com/openssl/openssl/blob/master/apps/ts.c
> line 891, BIO_new_file(data, "rb")
> bug info: memory leak on error path
> patch:
>
> --- a/apps/ts.c
> +++ b/apps/ts.c
> @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> *data, co
>  {
>  TS_VERIFY_CTX *ctx = NULL;
>  BIO *input = NULL;
> +BIO *out = NULL;
>  TS_REQ *request = NULL;
>  int ret = 0;
>  int f = 0;
> @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> *data, co
>  f = TS_VFY_VERSION | TS_VFY_SIGNER;
>  if (data != NULL) {
>  f |= TS_VFY_DATA;
> -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) ==
> NULL)
> +out = BIO_new_file(data, "rb")
> +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL)
>  goto err;
>  } else if (digest != NULL) {
>  long imprint_len;
> @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> *data, co
>  }
>  BIO_free_all(input);
>  TS_REQ_free(request);
> +BIO_free_all(out)
>  return ctx;
>  }
>
>
>
> 2:
> https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c
> line 75,77,  ret->p = BN_new()
> bug info: memory leak on error path
> patch:
> @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int
> prime_len, int
>  BN_CTX_end(ctx);
>  BN_CTX_free(ctx);
>  }
> +if(ret->p!=NULL)BN_free(ret->p);
> +if(ret->g!=NULL)BN_free(ret->g);
>  return ok;
>  }
>
>
> 3:
> https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c
> line 117, dest->priv_key = BN_new();
> bug info: memory leak on error path
> patch:
>
> @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
>  return NULL;
>  }
>  if (!BN_copy(dest->priv_key, src->priv_key))
> +BN_free(dest->priv_key)
>  return NULL;
>  if (src->group->meth->keycopy
>  && src->group->meth->keycopy(dest, src) == 0)
> +BN_free(dest->priv_key)
>
> The tool need can't just add an extra line for an if-statement without {}
>
>  return NULL;
>  }
>  }
> @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
>  dest->flags = src->flags;
>  if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
>  >ex_data, >ex_data))
> +BN_free(dest->priv_key)
>
> Same comment!
>
>  return NULL;
>
>  if (src->meth != dest->meth) {
> @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
>  }
>
>  if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
> +BN_free(dest->priv_key)
>  return NULL;
>
> Another one
>
>
>  return dest;
>
>
> 4:(solved in the recent commit)
> https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c
> line 33, str = OPENSSL_malloc(i));
> bug info: memory leak on error path
> patch: OPENSSL_free(str);
> patch location: 41
>
> 5:
> https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c
> line 116,185, p = OPENSSL_malloc(derlen);
> bug info: memory leak on error path
> patch:
>
> @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf,
> int *pl
>  derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);
>
>  if (!*ndef_aux->boundary)
> +OPENSSL_free(p);
>  return 0;
>
>
> And again
>
>  *plen = *ndef_aux->boundary - *pbuf;
> @@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf,
> int *pl
>  derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);
>
>  if (!*ndef_aux->boundary)
> +OPENSSL_free(p);
>  return 0;
>
> And again
>
>  *pbuf = *ndef_aux->boundary;
>  *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf);
>
> 6:
> https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c
> line 625, b1->buf = OPENSSL_malloc(b1->size);
> bug info: memory leak on error path
> patch:
>
> @@ -635,6 +635,7 @@ static int bio_make_pair(BIO *bio1, BIO *bio2)
>  b2->buf = 

Re: [openssl-dev] Bug reports and patches for OpenSSL

[Lars Nordin]

On 2017-02-05 07:54, yuchi tian wrote:

Dear OpenSSL developers,

We are software engineering researchers at University of Virginia. As 
part of a research project, we have built a tool for automatically 
finding and fixing error handling bugs and are testing it on

various cryptographic libraries and applications that use them.

In the most recent version of OpenSSL, we discovered various instances 
where there may be memory leak on error path, potential error 
propagation or missing check of function call. And we also give a 
patch for each potential bug.


Please let us know how you intend to address these issues.

1:
https://github.com/openssl/openssl/blob/master/apps/ts.c
line 891, BIO_new_file(data, "rb")
bug info: memory leak on error path
patch:

--- a/apps/ts.c
+++ b/apps/ts.c
@@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char 
*data, co

 {
 TS_VERIFY_CTX *ctx = NULL;
 BIO *input = NULL;
+BIO *out = NULL;
 TS_REQ *request = NULL;
 int ret = 0;
 int f = 0;
@@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char 
*data, co

 f = TS_VFY_VERSION | TS_VFY_SIGNER;
 if (data != NULL) {
 f |= TS_VFY_DATA;
-if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) 
== NULL)

+out = BIO_new_file(data, "rb")
+if (TS_VERIFY_CTX_set_data(ctx, out) == NULL)
 goto err;
 } else if (digest != NULL) {
 long imprint_len;
@@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char 
*data, co

 }
 BIO_free_all(input);
 TS_REQ_free(request);
+BIO_free_all(out)
 return ctx;
 }



2:
https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c
line 75,77,  ret->p = BN_new()
bug info: memory leak on error path
patch:
@@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int 
prime_len, int

 BN_CTX_end(ctx);
 BN_CTX_free(ctx);
 }
+if(ret->p!=NULL)BN_free(ret->p);
+if(ret->g!=NULL)BN_free(ret->g);
 return ok;
 }


3:
https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c
line 117, dest->priv_key = BN_new();
bug info: memory leak on error path
patch:

@@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 return NULL;
 }
 if (!BN_copy(dest->priv_key, src->priv_key))
+BN_free(dest->priv_key)
 return NULL;
 if (src->group->meth->keycopy
 && src->group->meth->keycopy(dest, src) == 0)
+BN_free(dest->priv_key)

The tool need can't just add an extra line for an if-statement without {}


 return NULL;
 }
 }
@@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 dest->flags = src->flags;
 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
 >ex_data, >ex_data))
+BN_free(dest->priv_key)

Same comment!

 return NULL;
 if (src->meth != dest->meth) {
@@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 }
 if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
+BN_free(dest->priv_key)
 return NULL;

Another one

 return dest;


4:(solved in the recent commit)
https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c
line 33, str = OPENSSL_malloc(i));
bug info: memory leak on error path
patch: OPENSSL_free(str);
patch location: 41

5:
https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c
line 116,185, p = OPENSSL_malloc(derlen);
bug info: memory leak on error path
patch:

@@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char 
**pbuf, int *pl

 derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);
 if (!*ndef_aux->boundary)
+OPENSSL_free(p);
 return 0;

And again


 *plen = *ndef_aux->boundary - *pbuf;
@@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char 
**pbuf, int *pl

 derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);
 if (!*ndef_aux->boundary)
+OPENSSL_free(p);
 return 0;

And again

 *pbuf = *ndef_aux->boundary;
 *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf);

6:
https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c
line 625, b1->buf = OPENSSL_malloc(b1->size);
bug info: memory leak on error path
patch:

@@ -635,6 +635,7 @@ static int bio_make_pair(BIO *bio1, BIO *bio2)
 b2->buf = OPENSSL_malloc(b2->size);
 if (b2->buf == NULL) {
 BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+OPENSSL_free(b1->buf);
 return 0;
 }
 b2->len = 0;

7:
https://github.com/openssl/openssl/blob/master/crypto/ec/ec_ameth.c
line 244, ep = OPENSSL_malloc(eplen);
bug info: memory leak on error path
patch:
@@ -255,6 +255,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO 
*p8, const

 if 

Re: [openssl-dev] Bug reports and patches for OpenSSL

[yuchi tian]

> Guidance for how to correctly submit patches is given in the
> CONTRIBUTING file here:

> https://github.com/openssl/openssl/blob/master/CONTRIBUTING

> Please could you submit your fixes as a github pull request? One pull
> request for all of these issues should be fine.

Thank you for the information. I will submit the fixes as a github pull
request.

Sincerely,
Yuchi Tian


On Sun, Feb 5, 2017 at 8:49 AM, Matt Caswell  wrote:

>
>
> On 05/02/17 06:54, yuchi tian wrote:
> > Dear OpenSSL developers,
> >
> > We are software engineering researchers at University of Virginia. As
> > part of a research project, we have built a tool for automatically
> > finding and fixing error handling bugs and are testing it on
> > various cryptographic libraries and applications that use them.
> >
> > In the most recent version of OpenSSL, we discovered various instances
> > where there may be memory leak on error path, potential error
> > propagation or missing check of function call. And we also give a patch
> > for each potential bug.
> >
> > Please let us know how you intend to address these issues.
>
> Guidance for how to correctly submit patches is given in the
> CONTRIBUTING file here:
>
> https://github.com/openssl/openssl/blob/master/CONTRIBUTING
>
> Please could you submit your fixes as a github pull request? One pull
> request for all of these issues should be fine.
>
> We will also need a CLA from all authors:
> https://www.openssl.org/policies/cla.html
>
> Thanks!
>
> Matt
>
>
>
> >
> > 1:
> > https://github.com/openssl/openssl/blob/master/apps/ts.c
> > line 891, BIO_new_file(data, "rb")
> > bug info: memory leak on error path
> > patch:
> >
> > --- a/apps/ts.c
> > +++ b/apps/ts.c
> > @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> > *data, co
> >  {
> >  TS_VERIFY_CTX *ctx = NULL;
> >  BIO *input = NULL;
> > +BIO *out = NULL;
> >  TS_REQ *request = NULL;
> >  int ret = 0;
> >  int f = 0;
> > @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> > *data, co
> >  f = TS_VFY_VERSION | TS_VFY_SIGNER;
> >  if (data != NULL) {
> >  f |= TS_VFY_DATA;
> > -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb"))
> > == NULL)
> > +out = BIO_new_file(data, "rb")
> > +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL)
> >  goto err;
> >  } else if (digest != NULL) {
> >  long imprint_len;
> > @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> > *data, co
> >  }
> >  BIO_free_all(input);
> >  TS_REQ_free(request);
> > +BIO_free_all(out)
> >  return ctx;
> >  }
> >
> >
> >
> > 2:
> > https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c
> > line 75,77,  ret->p = BN_new()
> > bug info: memory leak on error path
> > patch:
> > @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int
> > prime_len, int
> >  BN_CTX_end(ctx);
> >  BN_CTX_free(ctx);
> >  }
> > +if(ret->p!=NULL)BN_free(ret->p);
> > +if(ret->g!=NULL)BN_free(ret->g);
> >  return ok;
> >  }
> >
> >
> > 3:
> > https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c
> > line 117, dest->priv_key = BN_new();
> > bug info: memory leak on error path
> > patch:
> >
> > @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
> >  return NULL;
> >  }
> >  if (!BN_copy(dest->priv_key, src->priv_key))
> > +BN_free(dest->priv_key)
> >  return NULL;
> >  if (src->group->meth->keycopy
> >  && src->group->meth->keycopy(dest, src) == 0)
> > +BN_free(dest->priv_key)
> >  return NULL;
> >  }
> >  }
> > @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
> >  dest->flags = src->flags;
> >  if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
> >  >ex_data, >ex_data))
> > +BN_free(dest->priv_key)
> >  return NULL;
> >
> >  if (src->meth != dest->meth) {
> > @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
> >  }
> >
> >  if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
> > +BN_free(dest->priv_key)
> >  return NULL;
> >
> >  return dest;
> >
> >
> > 4:(solved in the recent commit)
> > https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c
> > line 33, str = OPENSSL_malloc(i));
> > bug info: memory leak on error path
> > patch: OPENSSL_free(str);
> > patch location: 41
> >
> > 5:
> > https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c
> > line 116,185, p = OPENSSL_malloc(derlen);
> > bug info: memory leak on error path
> > patch:
> >
> > @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf,
> > int *pl
> >  derlen = ASN1_item_ndef_i2d(ndef_aux->val, 

Re: [openssl-dev] Bug reports and patches for OpenSSL

[yuchi tian]

> Will you make the tool and the corresponding scientific publication
> public?

Yes. We are currently in the step of evaluating our tools. We will submit
our work and share our tools when the project is done.

Sincerely,
Yuchi Tian

On Sun, Feb 5, 2017 at 6:16 AM, Hanno Böck  wrote:

> On Sun, 5 Feb 2017 01:54:06 -0500
> yuchi tian  wrote:
>
> > We are software engineering researchers at University of Virginia. As
> > part of a research project, we have built a tool for automatically
> > finding and fixing error handling bugs and are testing it on
> > various cryptographic libraries and applications that use them.
>
> I can't answer on how to best report those bugs, but:
> That sounds like interesting research.
>
> Will you make the tool and the corresponding scientific publication
> public?
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Bug reports and patches for OpenSSL

[Matt Caswell]

On 05/02/17 06:54, yuchi tian wrote:
> Dear OpenSSL developers,
> 
> We are software engineering researchers at University of Virginia. As
> part of a research project, we have built a tool for automatically
> finding and fixing error handling bugs and are testing it on
> various cryptographic libraries and applications that use them.
> 
> In the most recent version of OpenSSL, we discovered various instances
> where there may be memory leak on error path, potential error
> propagation or missing check of function call. And we also give a patch
> for each potential bug.
> 
> Please let us know how you intend to address these issues.

Guidance for how to correctly submit patches is given in the
CONTRIBUTING file here:

https://github.com/openssl/openssl/blob/master/CONTRIBUTING

Please could you submit your fixes as a github pull request? One pull
request for all of these issues should be fine.

We will also need a CLA from all authors:
https://www.openssl.org/policies/cla.html

Thanks!

Matt



> 
> 1:
> https://github.com/openssl/openssl/blob/master/apps/ts.c
> line 891, BIO_new_file(data, "rb") 
> bug info: memory leak on error path
> patch:
> 
> --- a/apps/ts.c
> +++ b/apps/ts.c
> @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> *data, co
>  {
>  TS_VERIFY_CTX *ctx = NULL;
>  BIO *input = NULL;
> +BIO *out = NULL;
>  TS_REQ *request = NULL;
>  int ret = 0;
>  int f = 0;
> @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> *data, co
>  f = TS_VFY_VERSION | TS_VFY_SIGNER;
>  if (data != NULL) {
>  f |= TS_VFY_DATA;
> -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb"))
> == NULL)
> +out = BIO_new_file(data, "rb")
> +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL)
>  goto err;
>  } else if (digest != NULL) {
>  long imprint_len;
> @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
> *data, co
>  }
>  BIO_free_all(input);
>  TS_REQ_free(request);
> +BIO_free_all(out)
>  return ctx;
>  }
> 
> 
> 
> 2:
> https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c
> line 75,77,  ret->p = BN_new() 
> bug info: memory leak on error path
> patch:
> @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int
> prime_len, int 
>  BN_CTX_end(ctx);
>  BN_CTX_free(ctx);
>  }
> +if(ret->p!=NULL)BN_free(ret->p);
> +if(ret->g!=NULL)BN_free(ret->g);
>  return ok;
>  }
> 
> 
> 3:
> https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c
> line 117, dest->priv_key = BN_new(); 
> bug info: memory leak on error path
> patch:
> 
> @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
>  return NULL;
>  }
>  if (!BN_copy(dest->priv_key, src->priv_key))
> +BN_free(dest->priv_key)
>  return NULL;
>  if (src->group->meth->keycopy
>  && src->group->meth->keycopy(dest, src) == 0)
> +BN_free(dest->priv_key)
>  return NULL;
>  }
>  }
> @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
>  dest->flags = src->flags;
>  if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
>  >ex_data, >ex_data))
> +BN_free(dest->priv_key)
>  return NULL;
>  
>  if (src->meth != dest->meth) {
> @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
>  }
>  
>  if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
> +BN_free(dest->priv_key)
>  return NULL;
>  
>  return dest;
> 
> 
> 4:(solved in the recent commit)
> https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c
> line 33, str = OPENSSL_malloc(i)); 
> bug info: memory leak on error path
> patch: OPENSSL_free(str);
> patch location: 41
> 
> 5:
> https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c
> line 116,185, p = OPENSSL_malloc(derlen);
> bug info: memory leak on error path
> patch:
> 
> @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf,
> int *pl
>  derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);
>  
>  if (!*ndef_aux->boundary)
> +OPENSSL_free(p);
>  return 0;
>  
>  *plen = *ndef_aux->boundary - *pbuf;
> @@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf,
> int *pl
>  derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);
>  
>  if (!*ndef_aux->boundary)
> +OPENSSL_free(p);
>  return 0;
>  *pbuf = *ndef_aux->boundary;
>  *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf);
> 
> 6:
> https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c
> line 625, b1->buf = OPENSSL_malloc(b1->size);
> bug info: memory leak on error path
> patch:
> 
> @@ -635,6 +635,7 @@ static int 

Re: [openssl-dev] Bug reports and patches for OpenSSL

[Hanno Böck]

On Sun, 5 Feb 2017 01:54:06 -0500
yuchi tian  wrote:

> We are software engineering researchers at University of Virginia. As
> part of a research project, we have built a tool for automatically
> finding and fixing error handling bugs and are testing it on
> various cryptographic libraries and applications that use them.

I can't answer on how to best report those bugs, but:
That sounds like interesting research.

Will you make the tool and the corresponding scientific publication
public?

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Bug reports and patches for OpenSSL

[yuchi tian]

Dear OpenSSL developers,

We are software engineering researchers at University of Virginia. As part
of a research project, we have built a tool for automatically finding and
fixing error handling bugs and are testing it on
various cryptographic libraries and applications that use them.

In the most recent version of OpenSSL, we discovered various instances
where there may be memory leak on error path, potential error propagation
or missing check of function call. And we also give a patch for each
potential bug.

Please let us know how you intend to address these issues.

1:
https://github.com/openssl/openssl/blob/master/apps/ts.c
line 891, BIO_new_file(data, "rb")
bug info: memory leak on error path
patch:

--- a/apps/ts.c
+++ b/apps/ts.c
@@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
*data, co
 {
 TS_VERIFY_CTX *ctx = NULL;
 BIO *input = NULL;
+BIO *out = NULL;
 TS_REQ *request = NULL;
 int ret = 0;
 int f = 0;
@@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
*data, co
 f = TS_VFY_VERSION | TS_VFY_SIGNER;
 if (data != NULL) {
 f |= TS_VFY_DATA;
-if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) ==
NULL)
+out = BIO_new_file(data, "rb")
+if (TS_VERIFY_CTX_set_data(ctx, out) == NULL)
 goto err;
 } else if (digest != NULL) {
 long imprint_len;
@@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char
*data, co
 }
 BIO_free_all(input);
 TS_REQ_free(request);
+BIO_free_all(out)
 return ctx;
 }



2:
https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c
line 75,77,  ret->p = BN_new()
bug info: memory leak on error path
patch:
@@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len,
int
 BN_CTX_end(ctx);
 BN_CTX_free(ctx);
 }
+if(ret->p!=NULL)BN_free(ret->p);
+if(ret->g!=NULL)BN_free(ret->g);
 return ok;
 }


3:
https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c
line 117, dest->priv_key = BN_new();
bug info: memory leak on error path
patch:

@@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 return NULL;
 }
 if (!BN_copy(dest->priv_key, src->priv_key))
+BN_free(dest->priv_key)
 return NULL;
 if (src->group->meth->keycopy
 && src->group->meth->keycopy(dest, src) == 0)
+BN_free(dest->priv_key)
 return NULL;
 }
 }
@@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 dest->flags = src->flags;
 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY,
 >ex_data, >ex_data))
+BN_free(dest->priv_key)
 return NULL;

 if (src->meth != dest->meth) {
@@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 }

 if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0)
+BN_free(dest->priv_key)
 return NULL;

 return dest;


4:(solved in the recent commit)
https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c
line 33, str = OPENSSL_malloc(i));
bug info: memory leak on error path
patch: OPENSSL_free(str);
patch location: 41

5:
https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c
line 116,185, p = OPENSSL_malloc(derlen);
bug info: memory leak on error path
patch:

@@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf,
int *pl
 derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);

 if (!*ndef_aux->boundary)
+OPENSSL_free(p);
 return 0;

 *plen = *ndef_aux->boundary - *pbuf;
@@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf,
int *pl
 derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it);

 if (!*ndef_aux->boundary)
+OPENSSL_free(p);
 return 0;
 *pbuf = *ndef_aux->boundary;
 *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf);

6:
https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c
line 625, b1->buf = OPENSSL_malloc(b1->size);
bug info: memory leak on error path
patch:

@@ -635,6 +635,7 @@ static int bio_make_pair(BIO *bio1, BIO *bio2)
 b2->buf = OPENSSL_malloc(b2->size);
 if (b2->buf == NULL) {
 BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE);
+OPENSSL_free(b1->buf);
 return 0;
 }
 b2->len = 0;

7:
https://github.com/openssl/openssl/blob/master/crypto/ec/ec_ameth.c
line 244, ep = OPENSSL_malloc(eplen);
bug info: memory leak on error path
patch:
@@ -255,6 +255,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8,
const

 if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0,
  ptype, pval, ep, eplen))
+OPENSSL_free(ep);
 return 0;

 return 1;


8:

[openssl-dev] [openssl.org #2831] patches for openssl 1.0.1c digest stuff

[Rich Salz via RT]

Too late for 1.0.1 and too much work for 1.0.2 :)
We fixed it in master (1.1) by saying "any supported digest" which isn't ideal,
admittedly.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Merging Gentoo patches on OpenSSL

[Hanno Böck]

Hello,

The Gentoo package for OpenSSL currently has a number of patches. The
last OpenSSL 1.0.2a update took a bit longer due to that - patches had
to be adjusted first.

I think most (if not all) of these patches should just be incorporated
into OpenSSL itself, as they're not Gentoo-specific. Minor fixes, built
system improvements etc. Most of them have been submitted to the
openssl rt in the past, but got no reaction so far.

What can we do to work on merging them? Would you prefer git pull
requests?

Some examples:

Let Makefiles respect LDFLAGS:
https://rt.openssl.org/Ticket/Display.html?id=3332user=guestpass=guest

Fix parallel builds:
https://rt.openssl.org/Ticket/Display.html?id=2084user=guestpass=guest

Build fix of 64 bit on 32 bit systems:
https://bugs.gentoo.org/show_bug.cgi?id=542618

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: BBB51E42


pgpm56SmisO65.pgp
Description: OpenPGP digital signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Merging Gentoo patches on OpenSSL

[Matt Caswell]

On 01/04/15 18:32, Hanno Böck wrote:
 Hello,
 
 The Gentoo package for OpenSSL currently has a number of patches.
 The last OpenSSL 1.0.2a update took a bit longer due to that -
 patches had to be adjusted first.

How many patches are you talking about?

 
 I think most (if not all) of these patches should just be
 incorporated into OpenSSL itself, as they're not Gentoo-specific.
 Minor fixes, built system improvements etc. Most of them have been
 submitted to the openssl rt in the past, but got no reaction so
 far.
 
 What can we do to work on merging them? Would you prefer git pull 
 requests?
 
 Some examples:
 
 Let Makefiles respect LDFLAGS: 
 https://rt.openssl.org/Ticket/Display.html?id=3332user=guestpass=guest

This
 
one says its been applied and is marked as resolved. Are you
saying its not? Mind you it doesn't seem to be about LDFLAGS so
perhaps you meant a different one?

 
 Fix parallel builds: 
 https://rt.openssl.org/Ticket/Display.html?id=2084user=guestpass=guest

That
 
one also says its been applied and is marked as resolved?

 
 Build fix of 64 bit on 32 bit systems: 
 https://bugs.gentoo.org/show_bug.cgi?id=542618
 



Matt
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Merging Gentoo patches on OpenSSL

[James Cloos]

MC This one says its been applied and is marked as resolved. Are you
MC saying its not? Mind you it doesn't seem to be about LDFLAGS so
MC perhaps you meant a different one?

The openssl-1.0.0a-ldflags.patch still applies to master.

As does openssl-1.0.2a-x32-asm.patch.

MC That one also says its been applied and is marked as resolved?

Most of the hunks in Gentoo's openssl-1.0.2a-parallel-build.patch also
still apply to master.  (9 of 17.)

And 17 of 27 hunks of openssl-1.0.2-ipv6.patch also still apply.

(That is based on the 7 patches in Gentoo's openssl-1.0.2a.ebuild.)

-JimC
-- 
James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl.org #782] IBM patches to OpenSSL-0.9.7c

[Rich Salz via RT]

The assembly code seems to have been included already.
The platforms we want are included already.
I think we've got the 'good bits' from this; if not, please
open a new ticket to cover it. thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #782] IBM patches to OpenSSL-0.9.7c

[Peter Waltenberg]

That's essentially correct.
Any IBM contributions from me have been dealt already, just to save time if
you hit more.

Thanks
Peter





From:   Rich Salz via RT r...@openssl.org
To: Peter Waltenberg/Australia/IBM@IBMAU
Cc: openssl-dev@openssl.org
Date:   15/08/2014 12:27 PM
Subject:[openssl.org #782] IBM patches to OpenSSL-0.9.7c



The assembly code seems to have been included already.
The platforms we want are included already.
I think we've got the 'good bits' from this; if not, please
open a new ticket to cover it. thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2831] patches for openssl 1.0.1c digest stuff

[Jim Reid via RT]

Hi. openssl 1.0.1c and its man pages don't tell the full story about  
support for secure hash algorithms, especially the SHA family. The  
attached patch fixes this. Though it's a bit clunky.

FWIW openssl dss1 seems to be an alias for sha1 and the output is  
reported as DSA. But we can't have a digest man page for dsa since  
that already exists.




openssl-hash-patch
Description: Binary data

[openssl.org #499] Patches to OpenSSL for Stratus VOS

[Green, Paul via RT]

The patches described in request-tracker entry #499 are now obsolete.  As
far as I am concerned, request #499 can be closed.

Please see the email thread starting at
http://marc.theaimsgroup.com/?l=openssl-devm=108008359106412w=2 for the
updated patch.  This is a letter I originally sent to openssl-dev on March
23, 2004, and which has some follow-ups from Richard Levitte and myself.

I neglected to send in this newer patch to the request tracker; please let
me know if you would like me to do this.

I don't need the patch applied to the 0.9.7 branch; I'd be satisified to see
it applied to the 0.9.8-dev branch.

Thanks
PG
--
Stratus Technologies
111 Powdermill Road
Maynard, MA 01754-3409 U.S.A.

Paul Green
Senior Technical Consultant
TEL +1 (978) 461-7557
FAX +1 (978) 461-3610

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #499] Patches to OpenSSL for Stratus VOS

[Richard Levitte - VMS Whacker]

If you could please send the new patch as an update to this ticket
(for example by replying to this message and making sure it reaches
[EMAIL PROTECTED]), that would be the best way.

In message [EMAIL PROTECTED] on Mon,  7 Jun 2004 21:33:49 +0200 (METDST), Green, 
Paul via RT [EMAIL PROTECTED] said:

rt 
rt The patches described in request-tracker entry #499 are now
rt obsolete.  As far as I am concerned, request #499 can be closed.
rt 
rt Please see the email thread starting at
rt http://marc.theaimsgroup.com/?l=openssl-devm=108008359106412w=2
rt for the updated patch.  This is a letter I originally sent to
rt openssl-dev on March 23, 2004, and which has some follow-ups from
rt Richard Levitte and myself.
rt 
rt I neglected to send in this newer patch to the request tracker;
rt please let me know if you would like me to do this.
rt 
rt I don't need the patch applied to the 0.9.7 branch; I'd be
rt satisified to see it applied to the 0.9.8-dev branch.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #499] Patches to OpenSSL for Stratus VOS

[Richard Levitte - VMS Whacker via RT]

If you could please send the new patch as an update to this ticket
(for example by replying to this message and making sure it reaches
[EMAIL PROTECTED]), that would be the best way.

In message [EMAIL PROTECTED] on Mon,  7 Jun 2004 21:33:49 +0200 (METDST), Green, 
Paul via RT [EMAIL PROTECTED] said:

rt 
rt The patches described in request-tracker entry #499 are now
rt obsolete.  As far as I am concerned, request #499 can be closed.
rt 
rt Please see the email thread starting at
rt http://marc.theaimsgroup.com/?l=openssl-devm=108008359106412w=2
rt for the updated patch.  This is a letter I originally sent to
rt openssl-dev on March 23, 2004, and which has some follow-ups from
rt Richard Levitte and myself.
rt 
rt I neglected to send in this newer patch to the request tracker;
rt please let me know if you would like me to do this.
rt 
rt I don't need the patch applied to the 0.9.7 branch; I'd be
rt satisified to see it applied to the 0.9.8-dev branch.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [openssl.org #499] Patches to OpenSSL for Stratus VOS

[Green, Paul via RT]

The following patch should replace the patch originally submitted for
request #499.  This patch helps OpenSSL build on the Stratus VOS operating
system using our POSIX environment.  These changes should not affect any
other operating system.

This patch is nearly identical to the one I mailed to openssl-dev on March
23, 2004. The difference is that I eliminated my changes to comment-out the
unconditional execution of openssl.pm in apps/Makefile.ssl because (a)
Richard Levitte objected and (b) the affected command line starts with a
hyphen, so the fact that it fails when cross-compiling should be ignored by
the make command.

I don't need the patch applied to the 0.9.7 branch; I'd be satisified to see
it applied to the 0.9.8-dev branch.

I just checked and it will apply cleanly to 0.9.7c and 0.9.7d; it will
display a few offset messages with 0.9.7d but these are harmless.

Thanks
PG
--
Paul Green, Senior Technical Consultant, Stratus Technologies.
Voice: +1 978-461-7557; FAX: +1 978-461-3610; AIM: PaulGreen

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [openssl.org #782] IBM patches to OpenSSL-0.9.7c

[Gaurav Khanna]

I was curious about the diffs/patch and config mentioned in the posting
below (The itanium part if segregated, or the complete patch) and was
rummaging the list for that.
Is there someplace i can download from, or look at the patch.

Thanks
Gaurav

-Original Message-
From: Lutz Jaenicke via RT [mailto:[EMAIL PROTECTED]
Sent: Monday, December 01, 2003 5:31 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [openssl.org #782] IBM patches to OpenSSL-0.9.7c 



[levitte - Mon Dec  1 13:18:42 2003]:

 Uh, are you sure you attached ibm.patch?  I can't seem to see that 
 patch.

Yes, the patch was attached to the Mail (some 2.x MB)... I will attach a
compressed version to this reply.

Best regards,
  Lutz

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [openssl.org #782] IBM patches to OpenSSL-0.9.7c

[Doug Kaufman]

On Fri, 2 Apr 2004, Gaurav Khanna wrote:

 I was curious about the diffs/patch and config mentioned in the posting
 below (The itanium part if segregated, or the complete patch) and was
 rummaging the list for that.
 Is there someplace i can download from, or look at the patch.

You need to get attachments from the response tracker:
http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/5077/3485/ibm.patch.gz;
http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/5067/3476/config;

The ticket number is in the Subject of the email. You can go to the main
Response Tracker page at http://www.aet.tu-cottbus.de/rt2/;.
 Doug
-- 
Doug Kaufman
Internet: [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #782] IBM patches to OpenSSL-0.9.7c

[Richard Levitte via RT]

Uh, are you sure you attached ibm.patch?  I can't seem to see that 
patch.

[EMAIL PROTECTED] - Mon Dec  1 08:34:29 2003]:

[...]
 Diff's between OpenSSL-0.9.7c and IBM's code.
 
 (See attached file: ibm.patch)
 
 IBM specific configuration. i.e. the options we pass through to 
OpenSSL
 Configure.
 
 (See attached file: config)

-- 
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #782] IBM patches to OpenSSL-0.9.7c

[Lutz Jaenicke via RT]

[levitte - Mon Dec  1 13:18:42 2003]:

 Uh, are you sure you attached ibm.patch?  I can't seem to see that 
 patch.

Yes, the patch was attached to the Mail (some 2.x MB)... I will attach a
compressed version to this reply.

Best regards,
  Lutz

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Patches to openssl-0.9.6c for OpenServer 5.0.6a new socketlibs.

[Richard Levitte - VMS Whacker]

From: Boyd Lynn Gerber [EMAIL PROTECTED]

gerberb With the release of the rs506a patch about a year ago openssl-0.9.6x
gerberb started having problems with the native compiler.  Below is what SCO has
gerberb posted and made available.  The current method uses COFF.  Which causes
gerberb problems.  I have attached to files that work.  Also for 3 files for
gerberb shared libraries are at the bottom.

Hello Boyd,

I'm considering your patch, and am wondering why you felt you needed
entirely separate Configure entries for shared libraries instead of
just augmenting the existing ones with the shared library support
information?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus: http://www.gemplus.com/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Patches to openssl-0.9.6c for OpenServer 5.0.6a new socket libs.

[Boyd Lynn Gerber]

On Wed, 2 Jan 2002, Richard Levitte - VMS Whacker wrote:
 I'm considering your patch, and am wondering why you felt you needed
 entirely separate Configure entries for shared libraries instead of
 just augmenting the existing ones with the shared library support
 information?

The first ones I sent were wrong for Configure.  I grab the first pass
instead of the final version.  Here is the correct Configure patch.

Thanks,

--
Boyd Gerber [EMAIL PROTECTED]
ZENEZ   3748 Valley Forge Road, Magna Utah  84044



*** Configure.org Thu Dec  6 06:11:39 2001
--- Configure Fri Dec 28 16:39:23 2001
***
*** 421,427 
  
  # SCO 5 - Ben Laurie [EMAIL PROTECTED] says the -O breaks the
  # SCO cc.
! sco5-cc,  cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des 
options?
  sco5-cc-pentium,  cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} 
${x86_gcc_opts}:::, # des options?
  sco5-gcc,  gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG 
${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our 
assembler files ...
  
--- 421,427 
  
  # SCO 5 - Ben Laurie [EMAIL PROTECTED] says the -O breaks the
  # SCO cc.
! sco5-cc,  cc:-belf::(unknown):-lsocket -lresolv:${x86_gcc_des} 
${x86_gcc_opts}:::, # des options?
  sco5-cc-pentium,  cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} 
${x86_gcc_opts}:::, # des options?
  sco5-gcc,  gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG 
${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our 
assembler files ...
  sco5-cc-shared,cc:-belf::(unknown):-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX 
${x86_gcc_des}::dlfcn:svr3-shared:-Kpic,
***
*** 424,429 
  sco5-cc,  cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des 
options?
  sco5-cc-pentium,  cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} 
${x86_gcc_opts}:::, # des options?
  sco5-gcc,  gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG 
${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our 
assembler files ...
  
  # Sinix/ReliantUNIX RM400
  # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer 
problem. Better use -g  */
--- 424,431 
  sco5-cc,  cc:-belf::(unknown):-lsocket -lresolv:${x86_gcc_des} 
${x86_gcc_opts}:::, # des options?
  sco5-cc-pentium,  cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} 
${x86_gcc_opts}:::, # des options?
  sco5-gcc,  gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG 
${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our 
assembler files ...
+ sco5-cc-shared,cc:-belf::(unknown):-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX 
+${x86_gcc_des}::dlfcn:svr3-shared:-Kpic,
+ sco5-gcc-shared,gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket -lresolv 
+-lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::dlfcn:svr3-shared:-fpic,
  
  # Sinix/ReliantUNIX RM400
  # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer 
problem. Better use -g  */

Re: Patches for OpenSSL

[Massimiliano Pala]

Bodo Moeller wrote:

  Do you prefer the patch against the pre-patched version or against the
  patched version of the ca.pod file ?
 
 I'd prefer one for the patched version (but it shouldn't really matter
 if you use a context or unified diff).

Here it is. I think it should be error free, anyway if you have time check
it before submission (:-D).

 I don't think anyone has plans for that currently.  If large-impact
 changes are needed, this should be discussed on openssl-dev.

Yes, I know. I have to check. Some work could be initially done by
introducing another switch (and conf keyword) to enable/disable the
usage of the index.txt backend during certificate issuing -- this
would enable using ca command with unsupported certificate profiles
(such as duplicate DNs).

Then, with patience, it should be a good thing starting a rewriting of
the backend db support ... and then, only then, we could start adding
new RFCs supported certificate profiles... This is a quite big work
to be done and I am not sure it can be done without backward
compatibility issues rising...

Another idea worth exploring could be the writing of a libca where ca
functions are held but I am not sure this is the scope of the openssl
project... anyway as this is strictly tied with openssl library itself
it could be useful having it together with the package.

I will forward this e-mail to the openssl-dev mailing list also to get
the feeling about all this stuff.

-- 

C'you,

Massimiliano Pala

--o-
Massimiliano Pala [OpenCA Project Manager]  [EMAIL PROTECTED]
  [EMAIL PROTECTED]
 [EMAIL PROTECTED]
http://www.openca.orgTel.:   +39 (0)59  270  094
http://openca.sourceforge.netMobile: +39 (0)347 7222 365

--- ca.pod  Mon Oct 22 19:20:50 2001
+++ ca.pod.new  Mon Oct 22 19:20:25 2001
@@ -34,6 +34,7 @@
 [B-spkac file]
 [B-ss_cert file]
 [B-preserveDN]
+[B-noemailDN]
 [B-batch]
 [B-msie_hack]
 [B-extensions section]
@@ -157,6 +158,16 @@
 older IE enrollment control which would only accept certificates if their
 DNs match the order of the request. This is not needed for Xenroll.
 
+=item B-noemailDN
+
+The DN of a certificate can contain the EMAIL field if present in the
+request DN, however it is good policy just having the e-mail set into
+the altName extension of the certificate. When this option is set the
+EMAIL field is removed from the certificate' subject and set only in
+the, eventually present, extensions. The Bemail_in_dn keyword can be
+used in the configuration file to enable this behaviour.
+
+=item B-batch
 =item B-batch
 
 this sets the batch mode. In this mode no questions will be asked
@@ -437,6 +448,7 @@
  default_md = md5   # md to use
 
  policy = policy_any# default policy
+ email_in_dn= no# Don't add the email into cert DN
 
  nameopt   = default_ca# Subject name display option
  certopt   = default_ca# Certificate display option
@@ -518,8 +530,11 @@
 BCA.pl help a little but not very much.
 
 Any fields in a request that are not present in a policy are silently
-deleted. This does not happen if the B-preserveDN option is used.
-The behaviour should be more friendly and configurable.
+deleted. This does not happen if the B-preserveDN option is used. To
+enforce the absence of the EMAIL field within the DN, as suggested by
+RFCs, regardless the contents of the request' subject the B-noemailDN
+option can be used. The behaviour should be more friendly and
+configurable.
 
 Cancelling some commands by refusing to certify a certificate can
 create an empty file.

 S/MIME Cryptographic Signature

Re: Patches for OpenSSL [EMAIL in DN]

[Massimiliano Pala]

Harald Koch wrote:

 There's a configuration option in the openssl.conf file that lets you
 either copy or move the email address from the X509 subject to the
 subjectAltName extension.

The problem was that if you did not wanted the EMAIL field in the subject
while having the extensions correctly set you should use the $ENV support
for it to be set (I know of any other methods useful when issuing certs
as the email is one field that changes for every certificate and it is
not recomended to edit the config file each new certificate :-D ).

I think this patch is useful at least when dealing with SPKAC and PKCS#10
(not IE, I suppose it has some problem importing certificates with DN
different from the one submitted in the req) requests -- gives you the
chance not to change the code you already have for certificate requesting,
also could help enforcing a correct policy within your CA.

At least to me...

-- 

C'you,

Massimiliano Pala

--o-
Massimiliano Pala [OpenCA Project Manager]  [EMAIL PROTECTED]
  [EMAIL PROTECTED]
 [EMAIL PROTECTED]
http://www.openca.orgTel.:   +39 (0)59  270  094
http://openca.sourceforge.netMobile: +39 (0)347 7222 365


smime.p7s
Description: S/MIME Cryptographic Signature

Patches for OpenSSL [EMAIL in DN]

[Massimiliano Pala]

Hi,

It's been some time since I wrote last time on the mailing lists (:-D),
anyway I have some patches for the ca.c command. This time them should be
complete (the ca.pod patch is present also).

To patch simply copy the ca.patch in the apps/ dir and the ca.pod.patch
in the docs/apps and do:

$ cd apps
$ patch ca.patch
$ cd ../doc/apps
$ patch ca.pod.patch

[just to be complete :-D ]

Please let me know your opinion.

P.S.: Actually I get a core dump on the SNAP (20011013) independently from
my patch (so I use it together with an old SNAP that works - 20010826) when
using many commands as req, ca, etc... 

Now it comes the real stuff.

DESCRIPTION
===

This patch adds the possibility to not include the EMAIL field in the
DN of the issued certificate when issuing a new certificate. This was
needed as the inclusion of the EMAIL is actually deprecated by RFCs.

This patch does not alter the normal behaviour of the ca command if the
flag or the config keyword is not used.

The added flag reads as follows:

   -noemailDN  - Don't add the EMAIL field into certificate' subject

command line samples usage:

   openssl ca -spkac spkac.req -cert cacert.pem -keyfile cakey.pem \
  -config conf/openssl/openssl.cnf -noemailDN -preserveDN

   openssl ca -in req.pem -noemailDN -cert cacert.pem -keyfile cakey.pem \
  -config conf/openssl/openssl.cnf

The added configuration key is email_in_dn and if set to no the
EMAIL field is not added to the certificate' subject (equivalent to the
usage of the -noemailDN command line switch). The command line option
overrides the configuration file's value.

sample configuration keyword usage:

...
oid_file= $dir/private/.oid

x509_extensions = user_cert # The extentions to add to the cert
email_in_dn = no# Don't add the email into the cert DN
...


-- 

C'you,

Massimiliano Pala

--o-
Massimiliano Pala [OpenCA Project Manager]  [EMAIL PROTECTED]
  [EMAIL PROTECTED]
 [EMAIL PROTECTED]
http://www.openca.orgTel.:   +39 (0)59  270  094
http://openca.sourceforge.netMobile: +39 (0)347 7222 365

--- ca.cTue Oct 16 00:46:06 2001
+++ ca.new  Tue Oct 16 00:45:41 2001
@@ -126,6 +126,7 @@
 #define ENV_DEFAULT_CRL_DAYS   default_crl_days
 #define ENV_DEFAULT_CRL_HOURS  default_crl_hours
 #define ENV_DEFAULT_MD default_md
+#define ENV_DEFAULT_EMAIL_DN   email_in_dn
 #define ENV_PRESERVE   preserve
 #define ENV_POLICY policy
 #define ENV_EXTENSIONS x509_extensions
@@ -182,6 +183,7 @@
  -spkac file - File contains DN and signed public key and challenge\n,
  -ss_cert file   - File contains a self signed cert to sign\n,
  -preserveDN - Don't re-order the DN\n,
+ -noemailDN  - Don't add the EMAIL field into certificate' subject\n,
  -batch  - Don't ask questions\n,
  -msie_hack  - msie modifications to handle all those universal strings\n,
  -revoke file- Revoke a certificate (given in file)\n,
@@ -211,32 +213,32 @@
 static int save_serial(char *serialfile, BIGNUM *serial);
 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
-  BIGNUM *serial, char *subj, char *startdate,char *enddate,
-  long days, int batch, char *ext_sect, CONF *conf,int verbose,
-  unsigned long certopt, unsigned long nameopt, int default_op,
-  int ext_copy);
+  BIGNUM *serial, char *subj, int email_dn, char *startdate,
+  char *enddate, long days, int batch, char *ext_sect, CONF *conf,
+  int verbose, unsigned long certopt, unsigned long nameopt,
+  int default_op, int ext_copy);
 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-   TXT_DB *db, BIGNUM *serial, char *subj, char *startdate,
-   char *enddate, long days, int batch, char *ext_sect,
-   CONF *conf,int verbose, unsigned long certopt,
+   TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+   char *startdate, char *enddate, long days, int batch,
+   char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e);
 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-TXT_DB *db, 

Re: Patches for OpenSSL [EMAIL in DN]

[Harald Koch]

 This patch adds the possibility to not include the EMAIL field in the
 DN of the issued certificate when issuing a new certificate. This was
 needed as the inclusion of the EMAIL is actually deprecated by RFCs.

This functionality already exists, at least in the 0.9.7 branch.

There's a configuration option in the openssl.conf file that lets you
either copy or move the email address from the X509 subject to the
subjectAltName extension.

-- 
Harald Koch [EMAIL PROTECTED]

It takes a child to raze a village.
-Michael T. Fry
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Rijndael Patches for OpenSSL 0.9.6: Act 2

[Robert Sandilands]

Attached is the patches for OpenSSL 0.9.6 to enable the AES
winner:Rijndael. Also attached is the files that is not included in the
patch and is new.

Nine files: 

1. rijndael.diff - The diff file to use with "patch -p3 -u"
2. cmd - The command executed to create the diff file.
3. exclude - The files that were excluded.
4. rijndael.c - crypt/rijndael/rijndael.c
5. rijndael.h - crypt/rijndael/rijndael.h
6. Makefile.ssl - crypt/rijndael/Makefile.ssl
7. e_rijndael.c - crypt/evp/rijndael/e_rijndael.c
8. rijntest.c - crypt/rijndael/rijntest.c
9. boxes-fst.dat - crypt/rijndael/boxes-fst.dat

Procedure for using patch:

1. tar zxf openssl-0.9.6.tgz
2. patch -p3 -u  rijndael.diff
3. Copy attaches source files into specified directories.
4. cd openssl-0.9.6
5. Configure 
6. make update
7. Configure 
8. make
9. make test

Tested on:

1. RedHat Linux 7.0 under Intel and Borland C++ Builder 4.0 under
Windoze 98.
2. It should work on most 32-bit architectures and I have no idea
whether it would work on 64-bit architectures and have no access to be
able to test it.

Features and Limitations:

1. It defaults to a 256-bit key but can be configured for 128 and
192-bit keys too. 
2. The block length have been left at 128-bit's but according to the
specifications it is trivial to adjust upwards in 32-bit increments. 
3. Only CBC and ECB modes have been implimented. 

License:

1. I just took the code from the original Rijndael example code from the
author's web-site at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 
2. He made it freely available so I'm uncertain what to do with the
license. 
3. I personally wouldn't mind putting the OpenSSL license in it but
maybe we can't. 

Comments:
1. The patch fails with openssl-0.9.6/Makefile.ssl but this is not
important as this file is recreated when you run "Configure". 
2. Any feedback would be appreciated.
3. I don't seem to be receiving any of the replies on my postings so
please CC me on any comments you have please.

Robert Sandilands

diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude 
./Makefile.org /source/openssl/openssl-0.9.6/Makefile.org
--- ./Makefile.org  Thu Sep 21 11:23:13 2000
+++ /source/openssl/openssl-0.9.6/Makefile.org  Mon Oct 16 13:38:00 2000
@@ -165,7 +165,7 @@ SDIRS=  \
des rc2 rc4 rc5 idea bf cast \
bn rsa dsa dh dso \
buffer bio stack lhash rand err objects \
-   evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+   evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp rijndael
 
 MAKEFILE= Makefile.ssl
 MAKE= make -f Makefile.ssl
diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude 
./Makefile.ssl /source/openssl/openssl-0.9.6/Makefile.ssl
--- ./Makefile.ssl  Tue Oct 24 11:31:30 2000
+++ /source/openssl/openssl-0.9.6/Makefile.ssl  Fri Oct 20 15:19:55 2000
@@ -11,9 +11,9 @@ SHLIB_VERSION_NUMBER=0.9.6
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=0
 SHLIB_MINOR=9.6
-PLATFORM=debug-linux-elf-noefence
+PLATFORM=BC-32
 OPTIONS=
-CONFIGURE_ARGS=debug-linux-elf-noefence
+CONFIGURE_ARGS=BC-32
 SHLIB_TARGET=
 
 # INSTALL_PREFIX is for package builders so that they can configure
@@ -54,20 +54,20 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 
-CC= gcc
+CC= bcc32
 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DBN_DEBUG -DREF_CHECK 
-DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CFLAG= -DTHREADS  -DDSO_WIN32 
 DEPFLAG= 
 PEX_LIBS= -L. -L.. -L../.. -L../../..
-EX_LIBS= -ldl
+EX_LIBS= 
 AR=ar r
-RANLIB= /usr/bin/ranlib
-PERL= /usr/bin/perl
+RANLIB= true
+PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
-BN_ASM= asm/bn86-elf.o asm/co86-elf.o
+BN_ASM= bn_asm.o
 #BN_ASM= bn_asm.o
 #BN_ASM= asm/bn86-elf.o# elf, linux-elf
 #BN_ASM= asm/bn86-sol.o # solaris
@@ -87,7 +87,7 @@ PROCESSOR= 
 
 # Set DES_ENC to des_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
+DES_ENC= des_enc.o fcrypt_b.o
 #DES_ENC= des_enc.o fcrypt_b.o  # C
 #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
 #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
@@ -96,7 +96,7 @@ DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
 
 # Set BF_ENC to bf_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-BF_ENC= asm/bx86-elf.o
+BF_ENC= bf_enc.o
 #BF_ENC= bf_enc.o
 #BF_ENC= asm/bx86-elf.o # elf
 #BF_ENC= asm/bx86-sol.o # solaris
@@ -105,7 +105,7 @@ BF_ENC= asm/bx86-elf.o
 
 # Set CAST_ENC to c_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-CAST_ENC= asm/cx86-elf.o
+CAST_ENC= c_enc.o
 #CAST_ENC= c_enc.o
 #CAST_ENC= asm/cx86-elf.o # elf
 #CAST_ENC= asm/cx86-sol.o # solaris
@@ -114,7 +114,7 @@ CAST

Rijndael Patches for OpenSSL 0.9.6

[Robert Sandilands]

Attached is the patches for OpenSSL 0.9.6 to enable the AES
winner:Rijndael.

Three files: 

1. rijndael.diff - The diff file to use with "patch -p3 -u"
2. cmd - The command executed to create the diff file.
3. exclude - The files that were excluded.

Procedure for using patch:

1. tar zxf openssl-0.9.6.tgz
2. patch -p3 -u  rijndael.diff
3. cd openssl-0.9.6
4. Configure 
5. make update
6. Configure 
7. make
8. make test

Tested on:

1. RedHat Linux 7.0 under Intel and Borland C++ Builder 4.0 under
Windoze 98.
2. It should work on most 32-bit architectures and I have no idea
whether it would work on 64-bit architectures and have no access to be
able to test it.

Features and Limitations:

1. It defaults to a 256-bit key but can be configured for 128 and
192-bit keys too. 
2. The block length have been left at 128-bit's but according to the
specifications it is trivial to adjust upwards in 32-bit increments. 
3. Only CBC and ECB modes have been implimented. 

License:

1. I just took the code from the original Rijndael example code from the
author's web-site at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 
2. He made it freely available so I'm uncertain what to do with the
license. 
3. I personally wouldn't mind putting the OpenSSL license in it but
maybe we can't. 

Comments:
1. The patch fails with openssl-0.9.6/Makefile.ssl but this is not
important as this file is recreated when you run "Configure". 
2. Any feedback would be appreciated.

Robert Sandilands

diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude 
./Makefile.org /source/openssl/openssl-0.9.6/Makefile.org
--- ./Makefile.org  Thu Sep 21 11:23:13 2000
+++ /source/openssl/openssl-0.9.6/Makefile.org  Mon Oct 16 13:38:00 2000
@@ -165,7 +165,7 @@ SDIRS=  \
des rc2 rc4 rc5 idea bf cast \
bn rsa dsa dh dso \
buffer bio stack lhash rand err objects \
-   evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+   evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp rijndael
 
 MAKEFILE= Makefile.ssl
 MAKE= make -f Makefile.ssl
diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude 
./Makefile.ssl /source/openssl/openssl-0.9.6/Makefile.ssl
--- ./Makefile.ssl  Tue Oct 24 11:31:30 2000
+++ /source/openssl/openssl-0.9.6/Makefile.ssl  Fri Oct 20 15:19:55 2000
@@ -11,9 +11,9 @@ SHLIB_VERSION_NUMBER=0.9.6
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=0
 SHLIB_MINOR=9.6
-PLATFORM=debug-linux-elf-noefence
+PLATFORM=BC-32
 OPTIONS=
-CONFIGURE_ARGS=debug-linux-elf-noefence
+CONFIGURE_ARGS=BC-32
 SHLIB_TARGET=
 
 # INSTALL_PREFIX is for package builders so that they can configure
@@ -54,20 +54,20 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 
-CC= gcc
+CC= bcc32
 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DBN_DEBUG -DREF_CHECK 
-DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CFLAG= -DTHREADS  -DDSO_WIN32 
 DEPFLAG= 
 PEX_LIBS= -L. -L.. -L../.. -L../../..
-EX_LIBS= -ldl
+EX_LIBS= 
 AR=ar r
-RANLIB= /usr/bin/ranlib
-PERL= /usr/bin/perl
+RANLIB= true
+PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
-BN_ASM= asm/bn86-elf.o asm/co86-elf.o
+BN_ASM= bn_asm.o
 #BN_ASM= bn_asm.o
 #BN_ASM= asm/bn86-elf.o# elf, linux-elf
 #BN_ASM= asm/bn86-sol.o # solaris
@@ -87,7 +87,7 @@ PROCESSOR= 
 
 # Set DES_ENC to des_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
+DES_ENC= des_enc.o fcrypt_b.o
 #DES_ENC= des_enc.o fcrypt_b.o  # C
 #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
 #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
@@ -96,7 +96,7 @@ DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
 
 # Set BF_ENC to bf_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-BF_ENC= asm/bx86-elf.o
+BF_ENC= bf_enc.o
 #BF_ENC= bf_enc.o
 #BF_ENC= asm/bx86-elf.o # elf
 #BF_ENC= asm/bx86-sol.o # solaris
@@ -105,7 +105,7 @@ BF_ENC= asm/bx86-elf.o
 
 # Set CAST_ENC to c_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-CAST_ENC= asm/cx86-elf.o
+CAST_ENC= c_enc.o
 #CAST_ENC= c_enc.o
 #CAST_ENC= asm/cx86-elf.o # elf
 #CAST_ENC= asm/cx86-sol.o # solaris
@@ -114,7 +114,7 @@ CAST_ENC= asm/cx86-elf.o
 
 # Set RC4_ENC to rc4_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-RC4_ENC= asm/rx86-elf.o
+RC4_ENC= rc4_enc.o
 #RC4_ENC= rc4_enc.o
 #RC4_ENC= asm/rx86-elf.o # elf
 #RC4_ENC= asm/rx86-sol.o # solaris
@@ -123,7 +123,7 @@ RC4_ENC= asm/rx86-elf.o
 
 # Set RC5_ENC to rc5_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-RC5_ENC= asm/r586-elf.o
+RC5_ENC= rc5_enc.o
 #RC5_ENC= rc5_enc.o
 #RC5_ENC= asm/r586-elf.o # elf
 #RC5_ENC= asm/

Re: Rijndael Patches for OpenSSL 0.9.6

[Bodo Moeller]

On Fri, Oct 27, 2000 at 10:52:16AM +0200, Robert Sandilands wrote:

 Attached is the patches for OpenSSL 0.9.6 to enable the AES
 winner:Rijndael.

Your patch doesn't seem to include any of your new files, such as the
one actually containing the Rijndael implementation ...

Anyway, Ben has already included experimental Rijndael support into
OpenSSL, using the optimised public domain implementation
by Bosselars, Rijmen, and Barreto (see current OpenSSL snapshots).
There's no EVP integration yet though, and even the filenames
used are subject to change (they should differ in the first 8 characters,
but don't).


-- 
Bodo Möller [EMAIL PROTECTED]
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Rijndael Patches for OpenSSL 0.9.6

[Robert Sandilands]

Attached is the patches for OpenSSL 0.9.6 to enable the AES
winner:Rijndael.

Three files: 

1. rijndael.diff - The diff file to use with "patch -p3 -u"
2. cmd - The command executed to create the diff file.
3. exclude - The files that were excluded.

Procedure for using patch:

1. tar zxf openssl-0.9.6.tgz
2. patch -p3 -u  rijndael.diff
3. cd openssl-0.9.6
4. Configure 
5. make update
6. Configure 
7. make
8. make test

Tested on:

1. RedHat Linux 7.0 under Intel and Borland C++ Builder 4.0 under
Windoze 98.
2. It should work on most 32-bit architectures and I have no idea
whether it would work on 64-bit architectures and have no access to be
able to test it.

Features and Limitations:

1. It defaults to a 256-bit key but can be configured for 128 and
192-bit keys too. 
2. The block length have been left at 128-bit's but according to the
specifications it is trivial to adjust upwards in 32-bit increments. 
3. Only CBC and ECB modes have been implimented. 

License:

1. I just took the code from the original Rijndael example code from the
author's web-site at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 
2. He made it freely available so I'm uncertain what to do with the
license. 
3. I personally wouldn't mind putting the OpenSSL license in it but
maybe we can't. 

Comments:
1. The patch fails with openssl-0.9.6/Makefile.ssl but this is not
important as this file is recreated when you run "Configure". 
2. Any feedback would be appreciated.

Robert Sandilands

diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude 
./Makefile.org /source/openssl/openssl-0.9.6/Makefile.org
--- ./Makefile.org  Thu Sep 21 11:23:13 2000
+++ /source/openssl/openssl-0.9.6/Makefile.org  Mon Oct 16 13:38:00 2000
@@ -165,7 +165,7 @@ SDIRS=  \
des rc2 rc4 rc5 idea bf cast \
bn rsa dsa dh dso \
buffer bio stack lhash rand err objects \
-   evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+   evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp rijndael
 
 MAKEFILE= Makefile.ssl
 MAKE= make -f Makefile.ssl
diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude 
./Makefile.ssl /source/openssl/openssl-0.9.6/Makefile.ssl
--- ./Makefile.ssl  Tue Oct 24 11:31:30 2000
+++ /source/openssl/openssl-0.9.6/Makefile.ssl  Fri Oct 20 15:19:55 2000
@@ -11,9 +11,9 @@ SHLIB_VERSION_NUMBER=0.9.6
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=0
 SHLIB_MINOR=9.6
-PLATFORM=debug-linux-elf-noefence
+PLATFORM=BC-32
 OPTIONS=
-CONFIGURE_ARGS=debug-linux-elf-noefence
+CONFIGURE_ARGS=BC-32
 SHLIB_TARGET=
 
 # INSTALL_PREFIX is for package builders so that they can configure
@@ -54,20 +54,20 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 
-CC= gcc
+CC= bcc32
 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DBN_DEBUG -DREF_CHECK 
-DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM
+CFLAG= -DTHREADS  -DDSO_WIN32 
 DEPFLAG= 
 PEX_LIBS= -L. -L.. -L../.. -L../../..
-EX_LIBS= -ldl
+EX_LIBS= 
 AR=ar r
-RANLIB= /usr/bin/ranlib
-PERL= /usr/bin/perl
+RANLIB= true
+PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
-BN_ASM= asm/bn86-elf.o asm/co86-elf.o
+BN_ASM= bn_asm.o
 #BN_ASM= bn_asm.o
 #BN_ASM= asm/bn86-elf.o# elf, linux-elf
 #BN_ASM= asm/bn86-sol.o # solaris
@@ -87,7 +87,7 @@ PROCESSOR= 
 
 # Set DES_ENC to des_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
+DES_ENC= des_enc.o fcrypt_b.o
 #DES_ENC= des_enc.o fcrypt_b.o  # C
 #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
 #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris
@@ -96,7 +96,7 @@ DES_ENC= asm/dx86-elf.o asm/yx86-elf.o
 
 # Set BF_ENC to bf_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-BF_ENC= asm/bx86-elf.o
+BF_ENC= bf_enc.o
 #BF_ENC= bf_enc.o
 #BF_ENC= asm/bx86-elf.o # elf
 #BF_ENC= asm/bx86-sol.o # solaris
@@ -105,7 +105,7 @@ BF_ENC= asm/bx86-elf.o
 
 # Set CAST_ENC to c_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-CAST_ENC= asm/cx86-elf.o
+CAST_ENC= c_enc.o
 #CAST_ENC= c_enc.o
 #CAST_ENC= asm/cx86-elf.o # elf
 #CAST_ENC= asm/cx86-sol.o # solaris
@@ -114,7 +114,7 @@ CAST_ENC= asm/cx86-elf.o
 
 # Set RC4_ENC to rc4_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-RC4_ENC= asm/rx86-elf.o
+RC4_ENC= rc4_enc.o
 #RC4_ENC= rc4_enc.o
 #RC4_ENC= asm/rx86-elf.o # elf
 #RC4_ENC= asm/rx86-sol.o # solaris
@@ -123,7 +123,7 @@ RC4_ENC= asm/rx86-elf.o
 
 # Set RC5_ENC to rc5_enc.o if you want to use the C version
 #There are 4 x86 assember options.
-RC5_ENC= asm/r586-elf.o
+RC5_ENC= rc5_enc.o
 #RC5_ENC= rc5_enc.o
 #RC5_ENC= asm/r586-elf.o # elf
 #RC5_ENC= asm/

Status of OpenCA patches for OpenSSL...

[Michael H. Warfield]

Hello everyone...

I'm relatively new to these lists, so this may have been hashed
out in the past or may be in some FAQ somewhere I can't find.  If so,
I appologize in advance.

In the OpenCA bundle, there are some patches for OpenSSL that are
recommended in the INSTALL document.  The latest patches seem to be
for OpenSSL 0.9.4 and patches against a snapshot late last year.
Examining the patches by hand, they seem to be adding some options
for getting status information.  Part of the 0.9.4 patch appears to
already be in 0.9.5 and the snapshot patch no longer has that part.
The snapshot patch does successfully patch 0.9.5.  Patches to the code
include changes to apps/ca.c to add a -status option and a -updatedb
option and some changes to crypto/conf/conf.c (which no longer exists
in OpenSSL snapshots although it is still present in 0.9.5).

Now...  These changes appear to be useful and needed by the OpenCA
project.  They also appear to have been kicking around for a while and
partially integrated into OpenSSL.

What is the status on these patches, given that there are no
patches specifically for OpenSSL-0.9.5 or against any recent snapshots?
Are they still necessary or are they now redundant in some way?

They don't appear to have any negative impact on OpenSSL so,
considering how long they've been available, why haven't they been
fully integrated into OpenSSL if they do something useful?  Is there
some reason for NOT integrating them into OpenSSL or applying the patches?

TIA!

Mike
-- 
 Michael H. Warfield|  (770) 985-6132   |  [EMAIL PROTECTED]
  (The Mad Wizard)  |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9  |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471|  possible worlds.  A pessimist is sure of it!

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]