Re: [openssl-dev] Bug reports and patches for OpenSSL
Thank you for pointing out. That is not what I expect, but very important point for fix. Sincerely, Yuchi Tian On Mon, Feb 6, 2017 at 4:59 PM, Lars Nordinwrote: > On 2017-02-05 07:54, yuchi tian wrote: > > Dear OpenSSL developers, > > We are software engineering researchers at University of Virginia. As part > of a research project, we have built a tool for automatically finding and > fixing error handling bugs and are testing it on > various cryptographic libraries and applications that use them. > > In the most recent version of OpenSSL, we discovered various instances > where there may be memory leak on error path, potential error propagation > or missing check of function call. And we also give a patch for each > potential bug. > > Please let us know how you intend to address these issues. > > 1: > https://github.com/openssl/openssl/blob/master/apps/ts.c > line 891, BIO_new_file(data, "rb") > bug info: memory leak on error path > patch: > > --- a/apps/ts.c > +++ b/apps/ts.c > @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > *data, co > { > TS_VERIFY_CTX *ctx = NULL; > BIO *input = NULL; > +BIO *out = NULL; > TS_REQ *request = NULL; > int ret = 0; > int f = 0; > @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > *data, co > f = TS_VFY_VERSION | TS_VFY_SIGNER; > if (data != NULL) { > f |= TS_VFY_DATA; > -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == > NULL) > +out = BIO_new_file(data, "rb") > +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) > goto err; > } else if (digest != NULL) { > long imprint_len; > @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > *data, co > } > BIO_free_all(input); > TS_REQ_free(request); > +BIO_free_all(out) > return ctx; > } > > > > 2: > https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c > line 75,77, ret->p = BN_new() > bug info: memory leak on error path > patch: > @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int > prime_len, int > BN_CTX_end(ctx); > BN_CTX_free(ctx); > } > +if(ret->p!=NULL)BN_free(ret->p); > +if(ret->g!=NULL)BN_free(ret->g); > return ok; > } > > > 3: > https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c > line 117, dest->priv_key = BN_new(); > bug info: memory leak on error path > patch: > > @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > return NULL; > } > if (!BN_copy(dest->priv_key, src->priv_key)) > +BN_free(dest->priv_key) > return NULL; > if (src->group->meth->keycopy > && src->group->meth->keycopy(dest, src) == 0) > +BN_free(dest->priv_key) > > The tool need can't just add an extra line for an if-statement without {} > > return NULL; > } > } > @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > dest->flags = src->flags; > if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, > >ex_data, >ex_data)) > +BN_free(dest->priv_key) > > Same comment! > > return NULL; > > if (src->meth != dest->meth) { > @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > } > > if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0) > +BN_free(dest->priv_key) > return NULL; > > Another one > > > return dest; > > > 4:(solved in the recent commit) > https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c > line 33, str = OPENSSL_malloc(i)); > bug info: memory leak on error path > patch: OPENSSL_free(str); > patch location: 41 > > 5: > https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c > line 116,185, p = OPENSSL_malloc(derlen); > bug info: memory leak on error path > patch: > > @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, > int *pl > derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); > > if (!*ndef_aux->boundary) > +OPENSSL_free(p); > return 0; > > > And again > > *plen = *ndef_aux->boundary - *pbuf; > @@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, > int *pl > derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); > > if (!*ndef_aux->boundary) > +OPENSSL_free(p); > return 0; > > And again > > *pbuf = *ndef_aux->boundary; > *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf); > > 6: > https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c > line 625, b1->buf = OPENSSL_malloc(b1->size); > bug info: memory leak on error path > patch: > > @@ -635,6 +635,7 @@ static int bio_make_pair(BIO *bio1, BIO *bio2) > b2->buf =
Re: [openssl-dev] Bug reports and patches for OpenSSL
On 2017-02-05 07:54, yuchi tian wrote: Dear OpenSSL developers, We are software engineering researchers at University of Virginia. As part of a research project, we have built a tool for automatically finding and fixing error handling bugs and are testing it on various cryptographic libraries and applications that use them. In the most recent version of OpenSSL, we discovered various instances where there may be memory leak on error path, potential error propagation or missing check of function call. And we also give a patch for each potential bug. Please let us know how you intend to address these issues. 1: https://github.com/openssl/openssl/blob/master/apps/ts.c line 891, BIO_new_file(data, "rb") bug info: memory leak on error path patch: --- a/apps/ts.c +++ b/apps/ts.c @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, co { TS_VERIFY_CTX *ctx = NULL; BIO *input = NULL; +BIO *out = NULL; TS_REQ *request = NULL; int ret = 0; int f = 0; @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, co f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { f |= TS_VFY_DATA; -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) +out = BIO_new_file(data, "rb") +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) goto err; } else if (digest != NULL) { long imprint_len; @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, co } BIO_free_all(input); TS_REQ_free(request); +BIO_free_all(out) return ctx; } 2: https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c line 75,77, ret->p = BN_new() bug info: memory leak on error path patch: @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int BN_CTX_end(ctx); BN_CTX_free(ctx); } +if(ret->p!=NULL)BN_free(ret->p); +if(ret->g!=NULL)BN_free(ret->g); return ok; } 3: https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c line 117, dest->priv_key = BN_new(); bug info: memory leak on error path patch: @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) return NULL; } if (!BN_copy(dest->priv_key, src->priv_key)) +BN_free(dest->priv_key) return NULL; if (src->group->meth->keycopy && src->group->meth->keycopy(dest, src) == 0) +BN_free(dest->priv_key) The tool need can't just add an extra line for an if-statement without {} return NULL; } } @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) dest->flags = src->flags; if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, >ex_data, >ex_data)) +BN_free(dest->priv_key) Same comment! return NULL; if (src->meth != dest->meth) { @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) } if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0) +BN_free(dest->priv_key) return NULL; Another one return dest; 4:(solved in the recent commit) https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c line 33, str = OPENSSL_malloc(i)); bug info: memory leak on error path patch: OPENSSL_free(str); patch location: 41 5: https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c line 116,185, p = OPENSSL_malloc(derlen); bug info: memory leak on error path patch: @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *pl derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); if (!*ndef_aux->boundary) +OPENSSL_free(p); return 0; And again *plen = *ndef_aux->boundary - *pbuf; @@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *pl derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); if (!*ndef_aux->boundary) +OPENSSL_free(p); return 0; And again *pbuf = *ndef_aux->boundary; *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf); 6: https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c line 625, b1->buf = OPENSSL_malloc(b1->size); bug info: memory leak on error path patch: @@ -635,6 +635,7 @@ static int bio_make_pair(BIO *bio1, BIO *bio2) b2->buf = OPENSSL_malloc(b2->size); if (b2->buf == NULL) { BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE); +OPENSSL_free(b1->buf); return 0; } b2->len = 0; 7: https://github.com/openssl/openssl/blob/master/crypto/ec/ec_ameth.c line 244, ep = OPENSSL_malloc(eplen); bug info: memory leak on error path patch: @@ -255,6 +255,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const if
Re: [openssl-dev] Bug reports and patches for OpenSSL
> Guidance for how to correctly submit patches is given in the > CONTRIBUTING file here: > https://github.com/openssl/openssl/blob/master/CONTRIBUTING > Please could you submit your fixes as a github pull request? One pull > request for all of these issues should be fine. Thank you for the information. I will submit the fixes as a github pull request. Sincerely, Yuchi Tian On Sun, Feb 5, 2017 at 8:49 AM, Matt Caswellwrote: > > > On 05/02/17 06:54, yuchi tian wrote: > > Dear OpenSSL developers, > > > > We are software engineering researchers at University of Virginia. As > > part of a research project, we have built a tool for automatically > > finding and fixing error handling bugs and are testing it on > > various cryptographic libraries and applications that use them. > > > > In the most recent version of OpenSSL, we discovered various instances > > where there may be memory leak on error path, potential error > > propagation or missing check of function call. And we also give a patch > > for each potential bug. > > > > Please let us know how you intend to address these issues. > > Guidance for how to correctly submit patches is given in the > CONTRIBUTING file here: > > https://github.com/openssl/openssl/blob/master/CONTRIBUTING > > Please could you submit your fixes as a github pull request? One pull > request for all of these issues should be fine. > > We will also need a CLA from all authors: > https://www.openssl.org/policies/cla.html > > Thanks! > > Matt > > > > > > > 1: > > https://github.com/openssl/openssl/blob/master/apps/ts.c > > line 891, BIO_new_file(data, "rb") > > bug info: memory leak on error path > > patch: > > > > --- a/apps/ts.c > > +++ b/apps/ts.c > > @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > > *data, co > > { > > TS_VERIFY_CTX *ctx = NULL; > > BIO *input = NULL; > > +BIO *out = NULL; > > TS_REQ *request = NULL; > > int ret = 0; > > int f = 0; > > @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > > *data, co > > f = TS_VFY_VERSION | TS_VFY_SIGNER; > > if (data != NULL) { > > f |= TS_VFY_DATA; > > -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) > > == NULL) > > +out = BIO_new_file(data, "rb") > > +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) > > goto err; > > } else if (digest != NULL) { > > long imprint_len; > > @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > > *data, co > > } > > BIO_free_all(input); > > TS_REQ_free(request); > > +BIO_free_all(out) > > return ctx; > > } > > > > > > > > 2: > > https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c > > line 75,77, ret->p = BN_new() > > bug info: memory leak on error path > > patch: > > @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int > > prime_len, int > > BN_CTX_end(ctx); > > BN_CTX_free(ctx); > > } > > +if(ret->p!=NULL)BN_free(ret->p); > > +if(ret->g!=NULL)BN_free(ret->g); > > return ok; > > } > > > > > > 3: > > https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c > > line 117, dest->priv_key = BN_new(); > > bug info: memory leak on error path > > patch: > > > > @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > > return NULL; > > } > > if (!BN_copy(dest->priv_key, src->priv_key)) > > +BN_free(dest->priv_key) > > return NULL; > > if (src->group->meth->keycopy > > && src->group->meth->keycopy(dest, src) == 0) > > +BN_free(dest->priv_key) > > return NULL; > > } > > } > > @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > > dest->flags = src->flags; > > if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, > > >ex_data, >ex_data)) > > +BN_free(dest->priv_key) > > return NULL; > > > > if (src->meth != dest->meth) { > > @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > > } > > > > if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0) > > +BN_free(dest->priv_key) > > return NULL; > > > > return dest; > > > > > > 4:(solved in the recent commit) > > https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c > > line 33, str = OPENSSL_malloc(i)); > > bug info: memory leak on error path > > patch: OPENSSL_free(str); > > patch location: 41 > > > > 5: > > https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c > > line 116,185, p = OPENSSL_malloc(derlen); > > bug info: memory leak on error path > > patch: > > > > @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, > > int *pl > > derlen = ASN1_item_ndef_i2d(ndef_aux->val,
Re: [openssl-dev] Bug reports and patches for OpenSSL
> Will you make the tool and the corresponding scientific publication > public? Yes. We are currently in the step of evaluating our tools. We will submit our work and share our tools when the project is done. Sincerely, Yuchi Tian On Sun, Feb 5, 2017 at 6:16 AM, Hanno Böckwrote: > On Sun, 5 Feb 2017 01:54:06 -0500 > yuchi tian wrote: > > > We are software engineering researchers at University of Virginia. As > > part of a research project, we have built a tool for automatically > > finding and fixing error handling bugs and are testing it on > > various cryptographic libraries and applications that use them. > > I can't answer on how to best report those bugs, but: > That sounds like interesting research. > > Will you make the tool and the corresponding scientific publication > public? > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Bug reports and patches for OpenSSL
On 05/02/17 06:54, yuchi tian wrote: > Dear OpenSSL developers, > > We are software engineering researchers at University of Virginia. As > part of a research project, we have built a tool for automatically > finding and fixing error handling bugs and are testing it on > various cryptographic libraries and applications that use them. > > In the most recent version of OpenSSL, we discovered various instances > where there may be memory leak on error path, potential error > propagation or missing check of function call. And we also give a patch > for each potential bug. > > Please let us know how you intend to address these issues. Guidance for how to correctly submit patches is given in the CONTRIBUTING file here: https://github.com/openssl/openssl/blob/master/CONTRIBUTING Please could you submit your fixes as a github pull request? One pull request for all of these issues should be fine. We will also need a CLA from all authors: https://www.openssl.org/policies/cla.html Thanks! Matt > > 1: > https://github.com/openssl/openssl/blob/master/apps/ts.c > line 891, BIO_new_file(data, "rb") > bug info: memory leak on error path > patch: > > --- a/apps/ts.c > +++ b/apps/ts.c > @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > *data, co > { > TS_VERIFY_CTX *ctx = NULL; > BIO *input = NULL; > +BIO *out = NULL; > TS_REQ *request = NULL; > int ret = 0; > int f = 0; > @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > *data, co > f = TS_VFY_VERSION | TS_VFY_SIGNER; > if (data != NULL) { > f |= TS_VFY_DATA; > -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) > == NULL) > +out = BIO_new_file(data, "rb") > +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) > goto err; > } else if (digest != NULL) { > long imprint_len; > @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char > *data, co > } > BIO_free_all(input); > TS_REQ_free(request); > +BIO_free_all(out) > return ctx; > } > > > > 2: > https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c > line 75,77, ret->p = BN_new() > bug info: memory leak on error path > patch: > @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int > prime_len, int > BN_CTX_end(ctx); > BN_CTX_free(ctx); > } > +if(ret->p!=NULL)BN_free(ret->p); > +if(ret->g!=NULL)BN_free(ret->g); > return ok; > } > > > 3: > https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c > line 117, dest->priv_key = BN_new(); > bug info: memory leak on error path > patch: > > @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > return NULL; > } > if (!BN_copy(dest->priv_key, src->priv_key)) > +BN_free(dest->priv_key) > return NULL; > if (src->group->meth->keycopy > && src->group->meth->keycopy(dest, src) == 0) > +BN_free(dest->priv_key) > return NULL; > } > } > @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > dest->flags = src->flags; > if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, > >ex_data, >ex_data)) > +BN_free(dest->priv_key) > return NULL; > > if (src->meth != dest->meth) { > @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) > } > > if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0) > +BN_free(dest->priv_key) > return NULL; > > return dest; > > > 4:(solved in the recent commit) > https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c > line 33, str = OPENSSL_malloc(i)); > bug info: memory leak on error path > patch: OPENSSL_free(str); > patch location: 41 > > 5: > https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c > line 116,185, p = OPENSSL_malloc(derlen); > bug info: memory leak on error path > patch: > > @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, > int *pl > derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); > > if (!*ndef_aux->boundary) > +OPENSSL_free(p); > return 0; > > *plen = *ndef_aux->boundary - *pbuf; > @@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, > int *pl > derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); > > if (!*ndef_aux->boundary) > +OPENSSL_free(p); > return 0; > *pbuf = *ndef_aux->boundary; > *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf); > > 6: > https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c > line 625, b1->buf = OPENSSL_malloc(b1->size); > bug info: memory leak on error path > patch: > > @@ -635,6 +635,7 @@ static int
Re: [openssl-dev] Bug reports and patches for OpenSSL
On Sun, 5 Feb 2017 01:54:06 -0500 yuchi tianwrote: > We are software engineering researchers at University of Virginia. As > part of a research project, we have built a tool for automatically > finding and fixing error handling bugs and are testing it on > various cryptographic libraries and applications that use them. I can't answer on how to best report those bugs, but: That sounds like interesting research. Will you make the tool and the corresponding scientific publication public? -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Bug reports and patches for OpenSSL
Dear OpenSSL developers, We are software engineering researchers at University of Virginia. As part of a research project, we have built a tool for automatically finding and fixing error handling bugs and are testing it on various cryptographic libraries and applications that use them. In the most recent version of OpenSSL, we discovered various instances where there may be memory leak on error path, potential error propagation or missing check of function call. And we also give a patch for each potential bug. Please let us know how you intend to address these issues. 1: https://github.com/openssl/openssl/blob/master/apps/ts.c line 891, BIO_new_file(data, "rb") bug info: memory leak on error path patch: --- a/apps/ts.c +++ b/apps/ts.c @@ -878,6 +878,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, co { TS_VERIFY_CTX *ctx = NULL; BIO *input = NULL; +BIO *out = NULL; TS_REQ *request = NULL; int ret = 0; int f = 0; @@ -888,7 +889,8 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, co f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { f |= TS_VFY_DATA; -if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) +out = BIO_new_file(data, "rb") +if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) goto err; } else if (digest != NULL) { long imprint_len; @@ -931,6 +933,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, co } BIO_free_all(input); TS_REQ_free(request); +BIO_free_all(out) return ctx; } 2: https://github.com/openssl/openssl/blob/master/crypto/dh/dh_gen.c line 75,77, ret->p = BN_new() bug info: memory leak on error path patch: @@ -126,5 +126,7 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int BN_CTX_end(ctx); BN_CTX_free(ctx); } +if(ret->p!=NULL)BN_free(ret->p); +if(ret->g!=NULL)BN_free(ret->g); return ok; } 3: https://github.com/openssl/openssl/blob/master/crypto/ec/ec_key.c line 117, dest->priv_key = BN_new(); bug info: memory leak on error path patch: @@ -119,9 +119,11 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) return NULL; } if (!BN_copy(dest->priv_key, src->priv_key)) +BN_free(dest->priv_key) return NULL; if (src->group->meth->keycopy && src->group->meth->keycopy(dest, src) == 0) +BN_free(dest->priv_key) return NULL; } } @@ -134,6 +136,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) dest->flags = src->flags; if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, >ex_data, >ex_data)) +BN_free(dest->priv_key) return NULL; if (src->meth != dest->meth) { @@ -146,6 +149,7 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) } if (src->meth->copy != NULL && src->meth->copy(dest, src) == 0) +BN_free(dest->priv_key) return NULL; return dest; 4:(solved in the recent commit) https://github.com/openssl/openssl/blob/master/crypto/asn1/a_digest.c line 33, str = OPENSSL_malloc(i)); bug info: memory leak on error path patch: OPENSSL_free(str); patch location: 41 5: https://github.com/openssl/openssl/blob/master/crypto/asn1/bio_ndef.c line 116,185, p = OPENSSL_malloc(derlen); bug info: memory leak on error path patch: @@ -122,6 +122,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *pl derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); if (!*ndef_aux->boundary) +OPENSSL_free(p); return 0; *plen = *ndef_aux->boundary - *pbuf; @@ -191,6 +192,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *pl derlen = ASN1_item_ndef_i2d(ndef_aux->val, , ndef_aux->it); if (!*ndef_aux->boundary) +OPENSSL_free(p); return 0; *pbuf = *ndef_aux->boundary; *plen = derlen - (*ndef_aux->boundary - ndef_aux->derbuf); 6: https://github.com/openssl/openssl/blob/master/crypto/bio/bss_bio.c line 625, b1->buf = OPENSSL_malloc(b1->size); bug info: memory leak on error path patch: @@ -635,6 +635,7 @@ static int bio_make_pair(BIO *bio1, BIO *bio2) b2->buf = OPENSSL_malloc(b2->size); if (b2->buf == NULL) { BIOerr(BIO_F_BIO_MAKE_PAIR, ERR_R_MALLOC_FAILURE); +OPENSSL_free(b1->buf); return 0; } b2->len = 0; 7: https://github.com/openssl/openssl/blob/master/crypto/ec/ec_ameth.c line 244, ep = OPENSSL_malloc(eplen); bug info: memory leak on error path patch: @@ -255,6 +255,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 0, ptype, pval, ep, eplen)) +OPENSSL_free(ep); return 0; return 1; 8:
[openssl-dev] [openssl.org #2831] patches for openssl 1.0.1c digest stuff
Too late for 1.0.1 and too much work for 1.0.2 :) We fixed it in master (1.1) by saying "any supported digest" which isn't ideal, admittedly. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Merging Gentoo patches on OpenSSL
Hello, The Gentoo package for OpenSSL currently has a number of patches. The last OpenSSL 1.0.2a update took a bit longer due to that - patches had to be adjusted first. I think most (if not all) of these patches should just be incorporated into OpenSSL itself, as they're not Gentoo-specific. Minor fixes, built system improvements etc. Most of them have been submitted to the openssl rt in the past, but got no reaction so far. What can we do to work on merging them? Would you prefer git pull requests? Some examples: Let Makefiles respect LDFLAGS: https://rt.openssl.org/Ticket/Display.html?id=3332user=guestpass=guest Fix parallel builds: https://rt.openssl.org/Ticket/Display.html?id=2084user=guestpass=guest Build fix of 64 bit on 32 bit systems: https://bugs.gentoo.org/show_bug.cgi?id=542618 -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 pgpm56SmisO65.pgp Description: OpenPGP digital signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Merging Gentoo patches on OpenSSL
On 01/04/15 18:32, Hanno Böck wrote: Hello, The Gentoo package for OpenSSL currently has a number of patches. The last OpenSSL 1.0.2a update took a bit longer due to that - patches had to be adjusted first. How many patches are you talking about? I think most (if not all) of these patches should just be incorporated into OpenSSL itself, as they're not Gentoo-specific. Minor fixes, built system improvements etc. Most of them have been submitted to the openssl rt in the past, but got no reaction so far. What can we do to work on merging them? Would you prefer git pull requests? Some examples: Let Makefiles respect LDFLAGS: https://rt.openssl.org/Ticket/Display.html?id=3332user=guestpass=guest This one says its been applied and is marked as resolved. Are you saying its not? Mind you it doesn't seem to be about LDFLAGS so perhaps you meant a different one? Fix parallel builds: https://rt.openssl.org/Ticket/Display.html?id=2084user=guestpass=guest That one also says its been applied and is marked as resolved? Build fix of 64 bit on 32 bit systems: https://bugs.gentoo.org/show_bug.cgi?id=542618 Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Merging Gentoo patches on OpenSSL
MC This one says its been applied and is marked as resolved. Are you MC saying its not? Mind you it doesn't seem to be about LDFLAGS so MC perhaps you meant a different one? The openssl-1.0.0a-ldflags.patch still applies to master. As does openssl-1.0.2a-x32-asm.patch. MC That one also says its been applied and is marked as resolved? Most of the hunks in Gentoo's openssl-1.0.2a-parallel-build.patch also still apply to master. (9 of 17.) And 17 of 27 hunks of openssl-1.0.2-ipv6.patch also still apply. (That is based on the 7 patches in Gentoo's openssl-1.0.2a.ebuild.) -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl.org #782] IBM patches to OpenSSL-0.9.7c
The assembly code seems to have been included already. The platforms we want are included already. I think we've got the 'good bits' from this; if not, please open a new ticket to cover it. thanks. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #782] IBM patches to OpenSSL-0.9.7c
That's essentially correct. Any IBM contributions from me have been dealt already, just to save time if you hit more. Thanks Peter From: Rich Salz via RT r...@openssl.org To: Peter Waltenberg/Australia/IBM@IBMAU Cc: openssl-dev@openssl.org Date: 15/08/2014 12:27 PM Subject:[openssl.org #782] IBM patches to OpenSSL-0.9.7c The assembly code seems to have been included already. The platforms we want are included already. I think we've got the 'good bits' from this; if not, please open a new ticket to cover it. thanks. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2831] patches for openssl 1.0.1c digest stuff
Hi. openssl 1.0.1c and its man pages don't tell the full story about support for secure hash algorithms, especially the SHA family. The attached patch fixes this. Though it's a bit clunky. FWIW openssl dss1 seems to be an alias for sha1 and the output is reported as DSA. But we can't have a digest man page for dsa since that already exists. openssl-hash-patch Description: Binary data
[openssl.org #499] Patches to OpenSSL for Stratus VOS
The patches described in request-tracker entry #499 are now obsolete. As far as I am concerned, request #499 can be closed. Please see the email thread starting at http://marc.theaimsgroup.com/?l=openssl-devm=108008359106412w=2 for the updated patch. This is a letter I originally sent to openssl-dev on March 23, 2004, and which has some follow-ups from Richard Levitte and myself. I neglected to send in this newer patch to the request tracker; please let me know if you would like me to do this. I don't need the patch applied to the 0.9.7 branch; I'd be satisified to see it applied to the 0.9.8-dev branch. Thanks PG -- Stratus Technologies 111 Powdermill Road Maynard, MA 01754-3409 U.S.A. Paul Green Senior Technical Consultant TEL +1 (978) 461-7557 FAX +1 (978) 461-3610 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #499] Patches to OpenSSL for Stratus VOS
If you could please send the new patch as an update to this ticket (for example by replying to this message and making sure it reaches [EMAIL PROTECTED]), that would be the best way. In message [EMAIL PROTECTED] on Mon, 7 Jun 2004 21:33:49 +0200 (METDST), Green, Paul via RT [EMAIL PROTECTED] said: rt rt The patches described in request-tracker entry #499 are now rt obsolete. As far as I am concerned, request #499 can be closed. rt rt Please see the email thread starting at rt http://marc.theaimsgroup.com/?l=openssl-devm=108008359106412w=2 rt for the updated patch. This is a letter I originally sent to rt openssl-dev on March 23, 2004, and which has some follow-ups from rt Richard Levitte and myself. rt rt I neglected to send in this newer patch to the request tracker; rt please let me know if you would like me to do this. rt rt I don't need the patch applied to the 0.9.7 branch; I'd be rt satisified to see it applied to the 0.9.8-dev branch. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #499] Patches to OpenSSL for Stratus VOS
If you could please send the new patch as an update to this ticket (for example by replying to this message and making sure it reaches [EMAIL PROTECTED]), that would be the best way. In message [EMAIL PROTECTED] on Mon, 7 Jun 2004 21:33:49 +0200 (METDST), Green, Paul via RT [EMAIL PROTECTED] said: rt rt The patches described in request-tracker entry #499 are now rt obsolete. As far as I am concerned, request #499 can be closed. rt rt Please see the email thread starting at rt http://marc.theaimsgroup.com/?l=openssl-devm=108008359106412w=2 rt for the updated patch. This is a letter I originally sent to rt openssl-dev on March 23, 2004, and which has some follow-ups from rt Richard Levitte and myself. rt rt I neglected to send in this newer patch to the request tracker; rt please let me know if you would like me to do this. rt rt I don't need the patch applied to the 0.9.7 branch; I'd be rt satisified to see it applied to the 0.9.8-dev branch. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #499] Patches to OpenSSL for Stratus VOS
The following patch should replace the patch originally submitted for request #499. This patch helps OpenSSL build on the Stratus VOS operating system using our POSIX environment. These changes should not affect any other operating system. This patch is nearly identical to the one I mailed to openssl-dev on March 23, 2004. The difference is that I eliminated my changes to comment-out the unconditional execution of openssl.pm in apps/Makefile.ssl because (a) Richard Levitte objected and (b) the affected command line starts with a hyphen, so the fact that it fails when cross-compiling should be ignored by the make command. I don't need the patch applied to the 0.9.7 branch; I'd be satisified to see it applied to the 0.9.8-dev branch. I just checked and it will apply cleanly to 0.9.7c and 0.9.7d; it will display a few offset messages with 0.9.7d but these are harmless. Thanks PG -- Paul Green, Senior Technical Consultant, Stratus Technologies. Voice: +1 978-461-7557; FAX: +1 978-461-3610; AIM: PaulGreen __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #782] IBM patches to OpenSSL-0.9.7c
I was curious about the diffs/patch and config mentioned in the posting below (The itanium part if segregated, or the complete patch) and was rummaging the list for that. Is there someplace i can download from, or look at the patch. Thanks Gaurav -Original Message- From: Lutz Jaenicke via RT [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2003 5:31 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #782] IBM patches to OpenSSL-0.9.7c [levitte - Mon Dec 1 13:18:42 2003]: Uh, are you sure you attached ibm.patch? I can't seem to see that patch. Yes, the patch was attached to the Mail (some 2.x MB)... I will attach a compressed version to this reply. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #782] IBM patches to OpenSSL-0.9.7c
On Fri, 2 Apr 2004, Gaurav Khanna wrote: I was curious about the diffs/patch and config mentioned in the posting below (The itanium part if segregated, or the complete patch) and was rummaging the list for that. Is there someplace i can download from, or look at the patch. You need to get attachments from the response tracker: http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/5077/3485/ibm.patch.gz; http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/5067/3476/config; The ticket number is in the Subject of the email. You can go to the main Response Tracker page at http://www.aet.tu-cottbus.de/rt2/;. Doug -- Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #782] IBM patches to OpenSSL-0.9.7c
Uh, are you sure you attached ibm.patch? I can't seem to see that patch. [EMAIL PROTECTED] - Mon Dec 1 08:34:29 2003]: [...] Diff's between OpenSSL-0.9.7c and IBM's code. (See attached file: ibm.patch) IBM specific configuration. i.e. the options we pass through to OpenSSL Configure. (See attached file: config) -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #782] IBM patches to OpenSSL-0.9.7c
[levitte - Mon Dec 1 13:18:42 2003]: Uh, are you sure you attached ibm.patch? I can't seem to see that patch. Yes, the patch was attached to the Mail (some 2.x MB)... I will attach a compressed version to this reply. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Patches to openssl-0.9.6c for OpenServer 5.0.6a new socketlibs.
From: Boyd Lynn Gerber [EMAIL PROTECTED] gerberb With the release of the rs506a patch about a year ago openssl-0.9.6x gerberb started having problems with the native compiler. Below is what SCO has gerberb posted and made available. The current method uses COFF. Which causes gerberb problems. I have attached to files that work. Also for 3 files for gerberb shared libraries are at the bottom. Hello Boyd, I'm considering your patch, and am wondering why you felt you needed entirely separate Configure entries for shared libraries instead of just augmenting the existing ones with the shared library support information? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Patches to openssl-0.9.6c for OpenServer 5.0.6a new socket libs.
On Wed, 2 Jan 2002, Richard Levitte - VMS Whacker wrote: I'm considering your patch, and am wondering why you felt you needed entirely separate Configure entries for shared libraries instead of just augmenting the existing ones with the shared library support information? The first ones I sent were wrong for Configure. I grab the first pass instead of the final version. Here is the correct Configure patch. Thanks, -- Boyd Gerber [EMAIL PROTECTED] ZENEZ 3748 Valley Forge Road, Magna Utah 84044 *** Configure.org Thu Dec 6 06:11:39 2001 --- Configure Fri Dec 28 16:39:23 2001 *** *** 421,427 # SCO 5 - Ben Laurie [EMAIL PROTECTED] says the -O breaks the # SCO cc. ! sco5-cc, cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-cc-pentium, cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-gcc, gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our assembler files ... --- 421,427 # SCO 5 - Ben Laurie [EMAIL PROTECTED] says the -O breaks the # SCO cc. ! sco5-cc, cc:-belf::(unknown):-lsocket -lresolv:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-cc-pentium, cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-gcc, gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our assembler files ... sco5-cc-shared,cc:-belf::(unknown):-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::dlfcn:svr3-shared:-Kpic, *** *** 424,429 sco5-cc, cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-cc-pentium, cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-gcc, gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ --- 424,431 sco5-cc, cc:-belf::(unknown):-lsocket -lresolv:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-cc-pentium, cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::, # des options? sco5-gcc, gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::, # the SCO assembler doesn't seem to like our assembler files ... + sco5-cc-shared,cc:-belf::(unknown):-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX +${x86_gcc_des}::dlfcn:svr3-shared:-Kpic, + sco5-gcc-shared,gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket -lresolv +-lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::dlfcn:svr3-shared:-fpic, # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */
Re: Patches for OpenSSL
Bodo Moeller wrote: Do you prefer the patch against the pre-patched version or against the patched version of the ca.pod file ? I'd prefer one for the patched version (but it shouldn't really matter if you use a context or unified diff). Here it is. I think it should be error free, anyway if you have time check it before submission (:-D). I don't think anyone has plans for that currently. If large-impact changes are needed, this should be discussed on openssl-dev. Yes, I know. I have to check. Some work could be initially done by introducing another switch (and conf keyword) to enable/disable the usage of the index.txt backend during certificate issuing -- this would enable using ca command with unsupported certificate profiles (such as duplicate DNs). Then, with patience, it should be a good thing starting a rewriting of the backend db support ... and then, only then, we could start adding new RFCs supported certificate profiles... This is a quite big work to be done and I am not sure it can be done without backward compatibility issues rising... Another idea worth exploring could be the writing of a libca where ca functions are held but I am not sure this is the scope of the openssl project... anyway as this is strictly tied with openssl library itself it could be useful having it together with the package. I will forward this e-mail to the openssl-dev mailing list also to get the feeling about all this stuff. -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 --- ca.pod Mon Oct 22 19:20:50 2001 +++ ca.pod.new Mon Oct 22 19:20:25 2001 @@ -34,6 +34,7 @@ [B-spkac file] [B-ss_cert file] [B-preserveDN] +[B-noemailDN] [B-batch] [B-msie_hack] [B-extensions section] @@ -157,6 +158,16 @@ older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. +=item B-noemailDN + +The DN of a certificate can contain the EMAIL field if present in the +request DN, however it is good policy just having the e-mail set into +the altName extension of the certificate. When this option is set the +EMAIL field is removed from the certificate' subject and set only in +the, eventually present, extensions. The Bemail_in_dn keyword can be +used in the configuration file to enable this behaviour. + +=item B-batch =item B-batch this sets the batch mode. In this mode no questions will be asked @@ -437,6 +448,7 @@ default_md = md5 # md to use policy = policy_any# default policy + email_in_dn= no# Don't add the email into cert DN nameopt = default_ca# Subject name display option certopt = default_ca# Certificate display option @@ -518,8 +530,11 @@ BCA.pl help a little but not very much. Any fields in a request that are not present in a policy are silently -deleted. This does not happen if the B-preserveDN option is used. -The behaviour should be more friendly and configurable. +deleted. This does not happen if the B-preserveDN option is used. To +enforce the absence of the EMAIL field within the DN, as suggested by +RFCs, regardless the contents of the request' subject the B-noemailDN +option can be used. The behaviour should be more friendly and +configurable. Cancelling some commands by refusing to certify a certificate can create an empty file. S/MIME Cryptographic Signature
Re: Patches for OpenSSL [EMAIL in DN]
Harald Koch wrote: There's a configuration option in the openssl.conf file that lets you either copy or move the email address from the X509 subject to the subjectAltName extension. The problem was that if you did not wanted the EMAIL field in the subject while having the extensions correctly set you should use the $ENV support for it to be set (I know of any other methods useful when issuing certs as the email is one field that changes for every certificate and it is not recomended to edit the config file each new certificate :-D ). I think this patch is useful at least when dealing with SPKAC and PKCS#10 (not IE, I suppose it has some problem importing certificates with DN different from the one submitted in the req) requests -- gives you the chance not to change the code you already have for certificate requesting, also could help enforcing a correct policy within your CA. At least to me... -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 smime.p7s Description: S/MIME Cryptographic Signature
Patches for OpenSSL [EMAIL in DN]
Hi, It's been some time since I wrote last time on the mailing lists (:-D), anyway I have some patches for the ca.c command. This time them should be complete (the ca.pod patch is present also). To patch simply copy the ca.patch in the apps/ dir and the ca.pod.patch in the docs/apps and do: $ cd apps $ patch ca.patch $ cd ../doc/apps $ patch ca.pod.patch [just to be complete :-D ] Please let me know your opinion. P.S.: Actually I get a core dump on the SNAP (20011013) independently from my patch (so I use it together with an old SNAP that works - 20010826) when using many commands as req, ca, etc... Now it comes the real stuff. DESCRIPTION === This patch adds the possibility to not include the EMAIL field in the DN of the issued certificate when issuing a new certificate. This was needed as the inclusion of the EMAIL is actually deprecated by RFCs. This patch does not alter the normal behaviour of the ca command if the flag or the config keyword is not used. The added flag reads as follows: -noemailDN - Don't add the EMAIL field into certificate' subject command line samples usage: openssl ca -spkac spkac.req -cert cacert.pem -keyfile cakey.pem \ -config conf/openssl/openssl.cnf -noemailDN -preserveDN openssl ca -in req.pem -noemailDN -cert cacert.pem -keyfile cakey.pem \ -config conf/openssl/openssl.cnf The added configuration key is email_in_dn and if set to no the EMAIL field is not added to the certificate' subject (equivalent to the usage of the -noemailDN command line switch). The command line option overrides the configuration file's value. sample configuration keyword usage: ... oid_file= $dir/private/.oid x509_extensions = user_cert # The extentions to add to the cert email_in_dn = no# Don't add the email into the cert DN ... -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 --- ca.cTue Oct 16 00:46:06 2001 +++ ca.new Tue Oct 16 00:45:41 2001 @@ -126,6 +126,7 @@ #define ENV_DEFAULT_CRL_DAYS default_crl_days #define ENV_DEFAULT_CRL_HOURS default_crl_hours #define ENV_DEFAULT_MD default_md +#define ENV_DEFAULT_EMAIL_DN email_in_dn #define ENV_PRESERVE preserve #define ENV_POLICY policy #define ENV_EXTENSIONS x509_extensions @@ -182,6 +183,7 @@ -spkac file - File contains DN and signed public key and challenge\n, -ss_cert file - File contains a self signed cert to sign\n, -preserveDN - Don't re-order the DN\n, + -noemailDN - Don't add the EMAIL field into certificate' subject\n, -batch - Don't ask questions\n, -msie_hack - msie modifications to handle all those universal strings\n, -revoke file- Revoke a certificate (given in file)\n, @@ -211,32 +213,32 @@ static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate,char *enddate, - long days, int batch, char *ext_sect, CONF *conf,int verbose, - unsigned long certopt, unsigned long nameopt, int default_op, - int ext_copy); + BIGNUM *serial, char *subj, int email_dn, char *startdate, + char *enddate, long days, int batch, char *ext_sect, CONF *conf, + int verbose, unsigned long certopt, unsigned long nameopt, + int default_op, int ext_copy); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, char *startdate, - char *enddate, long days, int batch, char *ext_sect, - CONF *conf,int verbose, unsigned long certopt, + TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, + char *startdate, char *enddate, long days, int batch, + char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, -TXT_DB *db,
Re: Patches for OpenSSL [EMAIL in DN]
This patch adds the possibility to not include the EMAIL field in the DN of the issued certificate when issuing a new certificate. This was needed as the inclusion of the EMAIL is actually deprecated by RFCs. This functionality already exists, at least in the 0.9.7 branch. There's a configuration option in the openssl.conf file that lets you either copy or move the email address from the X509 subject to the subjectAltName extension. -- Harald Koch [EMAIL PROTECTED] It takes a child to raze a village. -Michael T. Fry __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rijndael Patches for OpenSSL 0.9.6: Act 2
Attached is the patches for OpenSSL 0.9.6 to enable the AES winner:Rijndael. Also attached is the files that is not included in the patch and is new. Nine files: 1. rijndael.diff - The diff file to use with "patch -p3 -u" 2. cmd - The command executed to create the diff file. 3. exclude - The files that were excluded. 4. rijndael.c - crypt/rijndael/rijndael.c 5. rijndael.h - crypt/rijndael/rijndael.h 6. Makefile.ssl - crypt/rijndael/Makefile.ssl 7. e_rijndael.c - crypt/evp/rijndael/e_rijndael.c 8. rijntest.c - crypt/rijndael/rijntest.c 9. boxes-fst.dat - crypt/rijndael/boxes-fst.dat Procedure for using patch: 1. tar zxf openssl-0.9.6.tgz 2. patch -p3 -u rijndael.diff 3. Copy attaches source files into specified directories. 4. cd openssl-0.9.6 5. Configure 6. make update 7. Configure 8. make 9. make test Tested on: 1. RedHat Linux 7.0 under Intel and Borland C++ Builder 4.0 under Windoze 98. 2. It should work on most 32-bit architectures and I have no idea whether it would work on 64-bit architectures and have no access to be able to test it. Features and Limitations: 1. It defaults to a 256-bit key but can be configured for 128 and 192-bit keys too. 2. The block length have been left at 128-bit's but according to the specifications it is trivial to adjust upwards in 32-bit increments. 3. Only CBC and ECB modes have been implimented. License: 1. I just took the code from the original Rijndael example code from the author's web-site at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 2. He made it freely available so I'm uncertain what to do with the license. 3. I personally wouldn't mind putting the OpenSSL license in it but maybe we can't. Comments: 1. The patch fails with openssl-0.9.6/Makefile.ssl but this is not important as this file is recreated when you run "Configure". 2. Any feedback would be appreciated. 3. I don't seem to be receiving any of the replies on my postings so please CC me on any comments you have please. Robert Sandilands diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude ./Makefile.org /source/openssl/openssl-0.9.6/Makefile.org --- ./Makefile.org Thu Sep 21 11:23:13 2000 +++ /source/openssl/openssl-0.9.6/Makefile.org Mon Oct 16 13:38:00 2000 @@ -165,7 +165,7 @@ SDIRS= \ des rc2 rc4 rc5 idea bf cast \ bn rsa dsa dh dso \ buffer bio stack lhash rand err objects \ - evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp + evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp rijndael MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude ./Makefile.ssl /source/openssl/openssl-0.9.6/Makefile.ssl --- ./Makefile.ssl Tue Oct 24 11:31:30 2000 +++ /source/openssl/openssl-0.9.6/Makefile.ssl Fri Oct 20 15:19:55 2000 @@ -11,9 +11,9 @@ SHLIB_VERSION_NUMBER=0.9.6 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.6 -PLATFORM=debug-linux-elf-noefence +PLATFORM=BC-32 OPTIONS= -CONFIGURE_ARGS=debug-linux-elf-noefence +CONFIGURE_ARGS=BC-32 SHLIB_TARGET= # INSTALL_PREFIX is for package builders so that they can configure @@ -54,20 +54,20 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= gcc +CC= bcc32 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM +CFLAG= -DTHREADS -DDSO_WIN32 DEPFLAG= PEX_LIBS= -L. -L.. -L../.. -L../../.. -EX_LIBS= -ldl +EX_LIBS= AR=ar r -RANLIB= /usr/bin/ranlib -PERL= /usr/bin/perl +RANLIB= true +PERL= perl TAR= tar TARFLAGS= --no-recursion # Set BN_ASM to bn_asm.o if you want to use the C version -BN_ASM= asm/bn86-elf.o asm/co86-elf.o +BN_ASM= bn_asm.o #BN_ASM= bn_asm.o #BN_ASM= asm/bn86-elf.o# elf, linux-elf #BN_ASM= asm/bn86-sol.o # solaris @@ -87,7 +87,7 @@ PROCESSOR= # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. -DES_ENC= asm/dx86-elf.o asm/yx86-elf.o +DES_ENC= des_enc.o fcrypt_b.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris @@ -96,7 +96,7 @@ DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # Set BF_ENC to bf_enc.o if you want to use the C version #There are 4 x86 assember options. -BF_ENC= asm/bx86-elf.o +BF_ENC= bf_enc.o #BF_ENC= bf_enc.o #BF_ENC= asm/bx86-elf.o # elf #BF_ENC= asm/bx86-sol.o # solaris @@ -105,7 +105,7 @@ BF_ENC= asm/bx86-elf.o # Set CAST_ENC to c_enc.o if you want to use the C version #There are 4 x86 assember options. -CAST_ENC= asm/cx86-elf.o +CAST_ENC= c_enc.o #CAST_ENC= c_enc.o #CAST_ENC= asm/cx86-elf.o # elf #CAST_ENC= asm/cx86-sol.o # solaris @@ -114,7 +114,7 @@ CAST
Rijndael Patches for OpenSSL 0.9.6
Attached is the patches for OpenSSL 0.9.6 to enable the AES winner:Rijndael. Three files: 1. rijndael.diff - The diff file to use with "patch -p3 -u" 2. cmd - The command executed to create the diff file. 3. exclude - The files that were excluded. Procedure for using patch: 1. tar zxf openssl-0.9.6.tgz 2. patch -p3 -u rijndael.diff 3. cd openssl-0.9.6 4. Configure 5. make update 6. Configure 7. make 8. make test Tested on: 1. RedHat Linux 7.0 under Intel and Borland C++ Builder 4.0 under Windoze 98. 2. It should work on most 32-bit architectures and I have no idea whether it would work on 64-bit architectures and have no access to be able to test it. Features and Limitations: 1. It defaults to a 256-bit key but can be configured for 128 and 192-bit keys too. 2. The block length have been left at 128-bit's but according to the specifications it is trivial to adjust upwards in 32-bit increments. 3. Only CBC and ECB modes have been implimented. License: 1. I just took the code from the original Rijndael example code from the author's web-site at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 2. He made it freely available so I'm uncertain what to do with the license. 3. I personally wouldn't mind putting the OpenSSL license in it but maybe we can't. Comments: 1. The patch fails with openssl-0.9.6/Makefile.ssl but this is not important as this file is recreated when you run "Configure". 2. Any feedback would be appreciated. Robert Sandilands diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude ./Makefile.org /source/openssl/openssl-0.9.6/Makefile.org --- ./Makefile.org Thu Sep 21 11:23:13 2000 +++ /source/openssl/openssl-0.9.6/Makefile.org Mon Oct 16 13:38:00 2000 @@ -165,7 +165,7 @@ SDIRS= \ des rc2 rc4 rc5 idea bf cast \ bn rsa dsa dh dso \ buffer bio stack lhash rand err objects \ - evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp + evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp rijndael MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude ./Makefile.ssl /source/openssl/openssl-0.9.6/Makefile.ssl --- ./Makefile.ssl Tue Oct 24 11:31:30 2000 +++ /source/openssl/openssl-0.9.6/Makefile.ssl Fri Oct 20 15:19:55 2000 @@ -11,9 +11,9 @@ SHLIB_VERSION_NUMBER=0.9.6 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.6 -PLATFORM=debug-linux-elf-noefence +PLATFORM=BC-32 OPTIONS= -CONFIGURE_ARGS=debug-linux-elf-noefence +CONFIGURE_ARGS=BC-32 SHLIB_TARGET= # INSTALL_PREFIX is for package builders so that they can configure @@ -54,20 +54,20 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= gcc +CC= bcc32 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM +CFLAG= -DTHREADS -DDSO_WIN32 DEPFLAG= PEX_LIBS= -L. -L.. -L../.. -L../../.. -EX_LIBS= -ldl +EX_LIBS= AR=ar r -RANLIB= /usr/bin/ranlib -PERL= /usr/bin/perl +RANLIB= true +PERL= perl TAR= tar TARFLAGS= --no-recursion # Set BN_ASM to bn_asm.o if you want to use the C version -BN_ASM= asm/bn86-elf.o asm/co86-elf.o +BN_ASM= bn_asm.o #BN_ASM= bn_asm.o #BN_ASM= asm/bn86-elf.o# elf, linux-elf #BN_ASM= asm/bn86-sol.o # solaris @@ -87,7 +87,7 @@ PROCESSOR= # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. -DES_ENC= asm/dx86-elf.o asm/yx86-elf.o +DES_ENC= des_enc.o fcrypt_b.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris @@ -96,7 +96,7 @@ DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # Set BF_ENC to bf_enc.o if you want to use the C version #There are 4 x86 assember options. -BF_ENC= asm/bx86-elf.o +BF_ENC= bf_enc.o #BF_ENC= bf_enc.o #BF_ENC= asm/bx86-elf.o # elf #BF_ENC= asm/bx86-sol.o # solaris @@ -105,7 +105,7 @@ BF_ENC= asm/bx86-elf.o # Set CAST_ENC to c_enc.o if you want to use the C version #There are 4 x86 assember options. -CAST_ENC= asm/cx86-elf.o +CAST_ENC= c_enc.o #CAST_ENC= c_enc.o #CAST_ENC= asm/cx86-elf.o # elf #CAST_ENC= asm/cx86-sol.o # solaris @@ -114,7 +114,7 @@ CAST_ENC= asm/cx86-elf.o # Set RC4_ENC to rc4_enc.o if you want to use the C version #There are 4 x86 assember options. -RC4_ENC= asm/rx86-elf.o +RC4_ENC= rc4_enc.o #RC4_ENC= rc4_enc.o #RC4_ENC= asm/rx86-elf.o # elf #RC4_ENC= asm/rx86-sol.o # solaris @@ -123,7 +123,7 @@ RC4_ENC= asm/rx86-elf.o # Set RC5_ENC to rc5_enc.o if you want to use the C version #There are 4 x86 assember options. -RC5_ENC= asm/r586-elf.o +RC5_ENC= rc5_enc.o #RC5_ENC= rc5_enc.o #RC5_ENC= asm/r586-elf.o # elf #RC5_ENC= asm/
Re: Rijndael Patches for OpenSSL 0.9.6
On Fri, Oct 27, 2000 at 10:52:16AM +0200, Robert Sandilands wrote: Attached is the patches for OpenSSL 0.9.6 to enable the AES winner:Rijndael. Your patch doesn't seem to include any of your new files, such as the one actually containing the Rijndael implementation ... Anyway, Ben has already included experimental Rijndael support into OpenSSL, using the optimised public domain implementation by Bosselars, Rijmen, and Barreto (see current OpenSSL snapshots). There's no EVP integration yet though, and even the filenames used are subject to change (they should differ in the first 8 characters, but don't). -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rijndael Patches for OpenSSL 0.9.6
Attached is the patches for OpenSSL 0.9.6 to enable the AES winner:Rijndael. Three files: 1. rijndael.diff - The diff file to use with "patch -p3 -u" 2. cmd - The command executed to create the diff file. 3. exclude - The files that were excluded. Procedure for using patch: 1. tar zxf openssl-0.9.6.tgz 2. patch -p3 -u rijndael.diff 3. cd openssl-0.9.6 4. Configure 5. make update 6. Configure 7. make 8. make test Tested on: 1. RedHat Linux 7.0 under Intel and Borland C++ Builder 4.0 under Windoze 98. 2. It should work on most 32-bit architectures and I have no idea whether it would work on 64-bit architectures and have no access to be able to test it. Features and Limitations: 1. It defaults to a 256-bit key but can be configured for 128 and 192-bit keys too. 2. The block length have been left at 128-bit's but according to the specifications it is trivial to adjust upwards in 32-bit increments. 3. Only CBC and ECB modes have been implimented. License: 1. I just took the code from the original Rijndael example code from the author's web-site at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. 2. He made it freely available so I'm uncertain what to do with the license. 3. I personally wouldn't mind putting the OpenSSL license in it but maybe we can't. Comments: 1. The patch fails with openssl-0.9.6/Makefile.ssl but this is not important as this file is recreated when you run "Configure". 2. Any feedback would be appreciated. Robert Sandilands diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude ./Makefile.org /source/openssl/openssl-0.9.6/Makefile.org --- ./Makefile.org Thu Sep 21 11:23:13 2000 +++ /source/openssl/openssl-0.9.6/Makefile.org Mon Oct 16 13:38:00 2000 @@ -165,7 +165,7 @@ SDIRS= \ des rc2 rc4 rc5 idea bf cast \ bn rsa dsa dh dso \ buffer bio stack lhash rand err objects \ - evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp + evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp rijndael MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl diff -u -p -r -b -d -I .o: .. --exclude-from=/home/robert/ftp/openssl/exclude ./Makefile.ssl /source/openssl/openssl-0.9.6/Makefile.ssl --- ./Makefile.ssl Tue Oct 24 11:31:30 2000 +++ /source/openssl/openssl-0.9.6/Makefile.ssl Fri Oct 20 15:19:55 2000 @@ -11,9 +11,9 @@ SHLIB_VERSION_NUMBER=0.9.6 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.6 -PLATFORM=debug-linux-elf-noefence +PLATFORM=BC-32 OPTIONS= -CONFIGURE_ARGS=debug-linux-elf-noefence +CONFIGURE_ARGS=BC-32 SHLIB_TARGET= # INSTALL_PREFIX is for package builders so that they can configure @@ -54,20 +54,20 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= gcc +CC= bcc32 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM +CFLAG= -DTHREADS -DDSO_WIN32 DEPFLAG= PEX_LIBS= -L. -L.. -L../.. -L../../.. -EX_LIBS= -ldl +EX_LIBS= AR=ar r -RANLIB= /usr/bin/ranlib -PERL= /usr/bin/perl +RANLIB= true +PERL= perl TAR= tar TARFLAGS= --no-recursion # Set BN_ASM to bn_asm.o if you want to use the C version -BN_ASM= asm/bn86-elf.o asm/co86-elf.o +BN_ASM= bn_asm.o #BN_ASM= bn_asm.o #BN_ASM= asm/bn86-elf.o# elf, linux-elf #BN_ASM= asm/bn86-sol.o # solaris @@ -87,7 +87,7 @@ PROCESSOR= # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. -DES_ENC= asm/dx86-elf.o asm/yx86-elf.o +DES_ENC= des_enc.o fcrypt_b.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris @@ -96,7 +96,7 @@ DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # Set BF_ENC to bf_enc.o if you want to use the C version #There are 4 x86 assember options. -BF_ENC= asm/bx86-elf.o +BF_ENC= bf_enc.o #BF_ENC= bf_enc.o #BF_ENC= asm/bx86-elf.o # elf #BF_ENC= asm/bx86-sol.o # solaris @@ -105,7 +105,7 @@ BF_ENC= asm/bx86-elf.o # Set CAST_ENC to c_enc.o if you want to use the C version #There are 4 x86 assember options. -CAST_ENC= asm/cx86-elf.o +CAST_ENC= c_enc.o #CAST_ENC= c_enc.o #CAST_ENC= asm/cx86-elf.o # elf #CAST_ENC= asm/cx86-sol.o # solaris @@ -114,7 +114,7 @@ CAST_ENC= asm/cx86-elf.o # Set RC4_ENC to rc4_enc.o if you want to use the C version #There are 4 x86 assember options. -RC4_ENC= asm/rx86-elf.o +RC4_ENC= rc4_enc.o #RC4_ENC= rc4_enc.o #RC4_ENC= asm/rx86-elf.o # elf #RC4_ENC= asm/rx86-sol.o # solaris @@ -123,7 +123,7 @@ RC4_ENC= asm/rx86-elf.o # Set RC5_ENC to rc5_enc.o if you want to use the C version #There are 4 x86 assember options. -RC5_ENC= asm/r586-elf.o +RC5_ENC= rc5_enc.o #RC5_ENC= rc5_enc.o #RC5_ENC= asm/r586-elf.o # elf #RC5_ENC= asm/
Status of OpenCA patches for OpenSSL...
Hello everyone... I'm relatively new to these lists, so this may have been hashed out in the past or may be in some FAQ somewhere I can't find. If so, I appologize in advance. In the OpenCA bundle, there are some patches for OpenSSL that are recommended in the INSTALL document. The latest patches seem to be for OpenSSL 0.9.4 and patches against a snapshot late last year. Examining the patches by hand, they seem to be adding some options for getting status information. Part of the 0.9.4 patch appears to already be in 0.9.5 and the snapshot patch no longer has that part. The snapshot patch does successfully patch 0.9.5. Patches to the code include changes to apps/ca.c to add a -status option and a -updatedb option and some changes to crypto/conf/conf.c (which no longer exists in OpenSSL snapshots although it is still present in 0.9.5). Now... These changes appear to be useful and needed by the OpenCA project. They also appear to have been kicking around for a while and partially integrated into OpenSSL. What is the status on these patches, given that there are no patches specifically for OpenSSL-0.9.5 or against any recent snapshots? Are they still necessary or are they now redundant in some way? They don't appear to have any negative impact on OpenSSL so, considering how long they've been available, why haven't they been fully integrated into OpenSSL if they do something useful? Is there some reason for NOT integrating them into OpenSSL or applying the patches? TIA! Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]