At Tue, 10 Jan 2017 09:42:02 -0500, Freemon Johnson wrote:
>
> Can anyone help me in discerning which version of openssl supports
> sbgp-autonomousSysNum and sbgp-ipAddrBlock? If it has been
> deprecated then providing the alternative would be greatly
> appreciated.
RFC 3779 support has been in
> It's quite probably that in 1.1 they will become X509v3_addr_xxx etc.
Thanks for the heads-up. Having already crossed the "some API changes
will not be 100% backwards compatible" Rubicon, this is no big deal.
--
openssl-dev mailing list
To unsubscribe:
At Thu, 14 Apr 2016 16:57:56 +, Salz, Rich wrote:
>
> Do you use the v3_asid_xxx or v3_addr_xxx API's?
Yes. See:
https://subvert-rpki.hactrn.net/trunk/ext/POW.c
https://subvert-rpki.hactrn.net/trunk/rp/rcynic/rcynic.c
--
openssl-dev mailing list
To unsubscribe:
This is a follow-on to ticket #2482, which fixed an inverted range
problem (range end before range start) in crypto/xv509v3/v3_addr.c.
Turns out the other RFC 3779 module, crypto/xv509v3/v3_asid.c, has
essentially the same error, both allowing generation of an inverted
range and failing to detect
At Wed, 18 May 2011 19:32:25 +0200 (CEST), OpenSSL RT wrote:
Want to get rid of the error in your builds? Add -Bsymbolic
too... It's more than appropriate in cases when you embed
libcrypto.a into another shared library, which [normally] is not
meant to export OpenSSL symbols. By doing so,
I've now tested both Francis Dupont's original patch and Jung-uk Kim's
replacement. Both patches work for my test case (make test with the
rpki.net Python code), both on FreeBSD 8.2-STABLE (with gcc 4.6 and
binutils from ports, to get new enough tools to show the problem with
the unpatched code)
Bug in crypto/x509v3/v3_addr.c, discovered by Frank Ellermann. Under
certain conditions, the code for constructing RFC 3779 IPAddrBlocks
extensions (v2i_IPAddrBlocks() and the functions it calls) will allow
an inverted range (range end before range start), which is a violation
of RFC 3779
One of my co-workers eats assembly language for breakfast. He took a
look at this, whacked together a trivial test case, and handed me a
correction to the assembly code. Credit for this fix should go to
Francis Dupont, not me.
Test case:
$ cat test.c EOF
#include openssl/x509.h
Fix (of sorts) for an obscure problem one is only likely to see while
in shared object hell on a 64-bit Linux system (eg, while attempting
to statically link OpenSSL code into a Python extension module). At
present the problem appears to be Linux-specific, but all we really
know so far is that
I noticed that most instances of assert() in libcrypto are now
OPENSSL_assert(). I see two source files for which this has not
happened: crypto/ts/ts_verify_ctx.c and crypto/x509v3/v3_asid.c.
I can submit this in patch form if you'd prefer, but as the fix is
just to remove the #include assert.h
Friends at BBN have been testing the RFC 3779 code I wrote a few years
ago under contract to ARIN, and have found a few corner cases that I
missed. Patch attached. This should apply to all active branches
containing the RFC 3779 code.
rfc3779-patches.diff
Description: Binary data
Looks like an incomplete conversion from assert() to OPENSSL_assert().
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List
any chance of getting this trivial fix included sometime soon?
At Wed, 12 Nov 2008 10:36:45 +0100 (CET), OpenSSL RT wrote:
i2r_address() doesn't handle the all-zeros IPv6 address correctly
(prints : when should print ::).
Trivial fix, to be applied to both 0.9.8 branch and HEAD, please.
i2r_address() doesn't handle the all-zeros IPv6 address correctly
(prints : when should print ::).
Trivial fix, to be applied to both 0.9.8 branch and HEAD, please.
--- crypto/x509v3/v3_addr.c.~1~ 2008-10-14 16:00:15.0 -0400
+++ crypto/x509v3/v3_addr.c 2008-11-11 18:26:02.0
v3_addr_canonize() mistakenly assumes that the comparision function
has already been set. IPAddrBlocks objects constructed by the decoder
do have the comparision function set, but it's possible for a program
to construct IPAddrBlocks for which the assumption is incorrect, which
can trigger a core
Hi. Thanks for the quick fix to RT #1664. I've run into two more
bugs in the CMS code. I can provide isolated test cases if necessary,
but the code that's currently producing these is buried deep in the
guts of a Python extension module, so I'll start by just describing
the problems in the hope
1) CMS_final() and CMS_verify() both appear to be ignoring an
EVP_R_COMMAND_NOT_SUPPORTED error.
Should be fixed now.
Confirmed, patch pulled from CVS appears to fix this. Thanks!
2) CMS_add0_crl() dumps core.
I threw together a quick test program and couldn't reproduce this. Can
Bug in openssl-SNAP-20080417 on FreeBSD 6.3-STABLE. Running
echo Hello, OpenSSL CMS |
openssl cms -sign -signer Alice-EE.cer -inkey Alice-EE.key -certfile
Alice-CA.cer
fails with messages:
674293960:error:2F080098:CMS
routines:CMS_GET0_CERTIFICATE_CHOICES:unsupported content
18 matches
Mail list logo
