Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured
Hi Steve, Do you also agree with David's proposal to change the calls to BIO_ctrl(, BIO_CTRL_INFO, ) into BIO_wpending() in ssl/*.c? It seems to make sense to me. Yes, I've applied it to all branches now. Many thanks David. Ticket resolved. Just a postscript to the issue. The above minimal fix was applied to OpenSSL but the lack of a corresponding Apache fix has resulted in some problems, not least of which is renegotiation not working because the server hello request is not flushed. As a result the OpenSSL change has been updated to call BIO_CTRL_INFO and if that returns zero BIO_CTRL_WPENDING. This should now cover all cases. Thanks for that fix and for informing us. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #2152] FIPS Support
Thank you! Paul -Original Message- From: Martin Paljak [mailto:martin.pal...@gmail.com] On Behalf Of Martin Paljak Sent: Saturday, January 23, 2010 2:08 PM To: openssl-dev@openssl.org Cc: Paul Spencer Subject: Re: [openssl.org #2152] FIPS Support On Jan 23, 2010, at 19:19 , Stephen Henson via RT wrote: [paul.spen...@aepnetworks.com - Sat Jan 23 14:15:49 2010]: When will the OpenSSL community update the FIPS Module for v1.2 to meet the new FIPS requirements that will be enforced by the end of this year? Are you aware of the new requirements for Cryptographic Algorithms and Key Sizes coming at the end of 2010 and do you have plans for them? We are fully aware of the new requirements. The current situation is documented here: http://www.openssl.org/docs/fips/fipsnotes.html I assume there's a minor typo on that page: The CMVP test lab and filing fees are more than pocket change (~USD$25,00 and up) and beyond the financial resources of the OSF. Commas and zeros probably don't match the intended value. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
CRL memory usage
Hi, I want to know the memory usage of CRL file prior to loading ? Basically after call to function d2i_X509_CRL_bio to load large CRL file, my free memory goes down drastically. I understand this behavior because openssl allocate the memory to load CRL. I want to understand how this memory is allocated, is it depend on number of revoked entry into CRL file ? How much memory is allocated per entry ? *Regards,* *Vinod Chaudhary | *Embedded Engineer, eInfochips Limited, Ahmedabad, India Phone: (O) +91-79-26400801 x 132 | (C) +91-9879181944 Website: www.einfochips.com blocked::http://www.einfochips.com/ -- _ Disclaimer: This e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer. Any views expressed in this message are those of the individual sender unless otherwise stated.Company has taken enough precautions to prevent the spread of viruses. However the company accepts no liability for any damage caused by any virus transmitted by this email. _
[openssl.org #2154] OpenSSL 0.9.8 on UnixWare
CVS OpenSSL_0_9_8-stable pulled 20 Jan 2010 On UnixWare 7.1.4 w/ MP4, OpenSSL 0.9.8 builds and tests fine with both static and dynamic libs. . OpenSSL 0.9.8m-dev 20 Jan 2010 built on: Sat Jan 23 18:42:02 PST 2010 platform: unixware-7 options: bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: cc -Kpic -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: /etc/ssl . On UnixWare 7.1.1 w/ MP5, OpenSSL 0.9.8 builds and tests fine with both static and dynamic libs. . OpenSSL 0.9.8m-dev 20 Jan 2010 built on: Sat Jan 23 18:43:24 PST 2010 platform: unixware-7 options: bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: cc -Kpic -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM OPENSSLDIR: /etc/ssl . -- Tim RiceMultitalents(707) 887-1469 t...@multitalents.net __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 beta5 release v. VMS
I just had a look at testtsa.com, and yeah, the corresponding shell script has evolved since testtsa.com was last updated. Working on it right now. Cheers, Richard In message 10012423165954_20205...@antinode.info on Sun, 24 Jan 2010 23:16:59 -0600 (CST), Steven M. Schweda s...@antinode.info said: sms From: Richard Levitte rich...@levitte.org sms sms Might be a fault in test/testtsa.com... I'll see if I can find sms something there... sms smsI got some improvement by trying harder to preserve case in some sms places: sms sms -$ call create_tsa_cert 1 tsa_cert sms +$ call create_tsa_cert 1 tsa_cert sms sms -$ call create_tsa_cert 2 non_tsa_cert sms +$ call create_tsa_cert 2 non_tsa_cert sms sms Knowing nothing, I'd guess that the missing TSA_CERT was actually sms supposed to be tsa_cert. I normally run with Parse Style: Extended, sms and that may make me more vulnerable to these things. Or, it could just sms be lame DCL. (Finally, there's a good reason to use: sms X = aBc sms instead of: sms X := aBc sms among other things.) sms sms And correcting some file names: sms sms -$ open/write file VMStsa-response1.create_tsa_cert sms +$ open/write file VMStsa-response_1.create_tsa_cert sms sms -$ define/user sys$input VMStsa-response.create_tsa_cert sms +$ define/user sys$input VMStsa-response_1.create_tsa_cert sms sms -$ open/write file VMStsa-response2.create_tsa_cert sms +$ open/write file VMStsa-response_2.create_tsa_cert sms sms -$ define/user sys$input VMStsa-response.create_tsa_cert sms +$ define/user sys$input VMStsa-response_2.create_tsa_cert sms sms Creating a file named one thing and then using a file named some other sms thing looked suspicious to me. sms smsThe next problem I saw in that test: sms sms unable to load certificates: ./tsaca.pem sms sms seems to be an inability to find a file specified in the .cnf file: sms sms certs = $dir/tsaca.pem sms sms The shell script seems to say things like -out tsaca.pem -keyout sms tsacakey.pem, while the DCL never mentions tsaca.pem. Either more sms code theft or else less would seem to be in order here. sms sms sms smsSteven M. Schweda s...@antinode-info sms382 South Warwick Street(+1) 651-699-9818 smsSaint Paul MN 55105-2547 sms __ sms OpenSSL Project http://www.openssl.org sms Development Mailing List openssl-dev@openssl.org sms Automated List Manager majord...@openssl.org - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ Life is a tremendous celebration - and I'm invited! -- from a friend's blog, translated from Swedish __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2155] [Bug report] OpenSSL 1.0.0 64-bit build fails under MSVC
I’m trying to build version 1.0 (doesn’t depend which beta snapshot, 0.9.8l is ok) under MS Visual Studio 2008 and it fails if building 64-bit version (switch VC-WIN64A). 32-bit builds ok, also 64-bit with “no-asm” builds ok, but it is about 4x slower which is unacceptable for our application. OS is Windows 7 Professional x64, CPU AMD Athlon II X4 620. The 64-bit build ends up with following errors: Microsoft (R) Macro Assembler (x64) Version 9.00.30729.01 Copyright (C) Microsoft Corporation. All rights reserved. Assembling: tmp32.dbgaes-x86_64.asm tmp32.dbgaes-x86_64.asm(2197) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2198) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2199) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2200) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2491) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2492) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2525) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2526) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2559) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2560) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2593) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2594) : error A2206:missing operator in expression tmp32.dbgaes-x86_64.asm(2624) : error A2075:jump destination too far : by 31 by te(s) tmp32.dbgaes-x86_64.asm(2631) : error A2075:jump destination too far : by 11 by te(s) NMAKE : fatal error U1077: 'C:Program Files (x86)Microsoft Visual Studio 9.0 VCBINx86_amd64ml64.EXE' : return code '0x1' Stop. - Big Muscle __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 beta5 release v. VMS
From: Richard Levitte rich...@levitte.org I just had a look at testtsa.com, and yeah, the corresponding shell script has evolved since testtsa.com was last updated. Working on it right now. Skipping that one, ... ALP $ @ tests test_ige Test IGE mode %DCL-W-ACTIMAGE, error activating image SYS$DISK:[-.ALPHA.EXE.TEST]IGETEST -CLI-E-IMAGEFNF, image file not found ALP$DKA0:[UTILITY.SOURCE.OPENSSL.OPENSSL-1 ^.0^.0-BETA5.ALPHA.EXE.TEST]IGETEST.EXE; ALP $ @ tests test_jpake Test JPAKE [...] A-B s3a Bob fails to process Alice's step 3a 2075840056:error:3106706A:lib(49):JPAKE_STEP3A_process:hash of hash of key misma tch:ALP$DKA0:[UTILITY.SOURCE.OPENSSL.openssl-1^.0^.0-beta5.crypto.jpake]jpake.c; 1:443: ALP $ @ tests test_cms CMS consistency test Can't find OpenSSL executable at cms-test.pl line 68. %RMS-F-SYN, file specification syntax error Steven M. Schweda s...@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2153] OpenSSL 1.0.0 on UnixWare
On Sun, 24 Jan 2010, The default queue via RT wrote: CVS OpenSSL_1_0_0-stable pulled 20 Jan 2010 On UnixWare 7.1.4 w/ MP4, If I build OpenSSL without static libs it builds and tests fine. . ALL TESTS SUCCESSFUL. OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a OpenSSL 1.0.0-beta6-dev 20 Jan 2010 built on: Sat Jan 23 11:10:13 PST 2010 platform: unixware-7 options: bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: cc -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: /etc/ssl . If I add the shared option to config it will build but tests fail. . enveloped content test streaming S/MIME format, 3 recipients, keyid: OK enveloped content test streaming PEM format, KEK: verify error *** Error code 1 (bu21) UX:make: ERROR: fatal error. . It looks like I've uncovered a compiler optimization bug. If I remove the -Kpentium_pro option all test pass. .. ALL TESTS SUCCESSFUL. OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a OpenSSL 1.0.0-beta6-dev 20 Jan 2010 built on: Mon Jan 25 09:09:25 PST 2010 platform: unixware-7 options: bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: cc -Kpic -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM OPENSSLDIR: /etc/ssl .. For reference Optimizing C Compilation System (CCS) 4.2 05/13/08 (uw714mp4.bl3h) Now I need to come up with a small reproducable test case and report it to the vendor. -- Tim RiceMultitalents(707) 887-1469 t...@multitalents.net __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL 1.0.0 beta5 release v. VMS
Hello, I have downloaded openssl-1.0.0-stable-SNAP-20100125.tar.gz and tested and it looks much better then earlier. Thank you. However there are still some issues left with tests. 1. in .testtests.com sslroot definition does not work $ sslroot = f$parse(sys$disk:[-.apps];syntax_only) - ].;+ .] $ define /translation_attributes = concealed sslroot 'sslroot' I have been forced to do it on more old fashioned way in order to get this work $ ROOT = F$PARSE(__here,[]A.;0,,,SYNTAX_ONLY,NO_CONCEAL) - A.;0 $ ROOT_DEV = F$PARSE(ROOT,,,DEVICE,SYNTAX_ONLY) $ ROOT_DIR = F$PARSE(ROOT,,,DIRECTORY,SYNTAX_ONLY) - - .][00 - [00. - ][ - [ - ] - .TEST $ ROOT = ROOT_DEV + [ + ROOT_DIR $ DEFINE/NOLOG SSLROOT 'ROOT'.APPS.] /TRANS=CONC 2. there are still problems with testtsa.com but Richard works on that if I understood correctly. Using configuration from [-]CATSA.CNF Error Loading extension section TSA_CERT 2071080376:error:02001002:system library:fopen:no such file or directory:USRDSK:[ZAY.WORK.OPENSSL-100-STABLE-SNAP-20100125 .CRYPTO.BIO]BSS_FILE.C;1:126:fopen('./demoCA/index.txt-attr','r') 3. Manually started JPAKETEST fails!!! TITAN2_ZAY $ mc USRDSK:ZAY.WORK.OPENSSL-100-STABLE-SNAP-20100125.IA64.EXE.TESTJPAKETEST.EXE p = F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED4 4FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D 2E1A2F71D99F763F g = 2 q = 7CF2D9B2B32F53D02D4E29A2813C07F7378D5ADEA7A4CA3FE81B6DEBF482934D7A37794587E03A43F727AE907D9E057C738079D17D1A0A4B865F6A 27F6FFC0673C6C0078C25DC121AE89BD56D16360B291923C98531DC2B30E8FE40BD28D66CB0B474AC4C50FC1D3CFFDA949B4553C19D5E8D861D76ED8A6 970D17B8ECCFBB1F A-B s1 B-A s1 A-B s2 B-A s2 Alice's key = 3722C81D780857B4AAE63D109950698938A846C11E616ED29419A986C6D813E35F6969F9B2C70DD399437978DEAE71606425ADF08D7D 3459B0D8EB19B21D732A038A478B0BAF7A818E5266D75A1097D3F43384D6A9F2DD774AB67D282DF907DD2519F2A5185792DAE8C742BD4D4E91340DDBB0 8956856284831D9E3C475BF150 Bob's key = 3722C81D780857B4AAE63D109950698938A846C11E616ED29419A986C6D813E35F6969F9B2C70DD399437978DEAE71606425ADF08D7D 3459B0D8EB19B21D732A038A478B0BAF7A818E5266D75A1097D3F43384D6A9F2DD774AB67D282DF907DD2519F2A5185792DAE8C742BD4D4E91340DDBB0 8956856284831D9E3C475BF150 A-B s3a B-A s3b A-B s1 B-A s1 A-B s2 B-A s2 Alice's key = A7F469FF38ED3BA3225E1B05A8B44F3643A9128E4E0D2E225744CD58DE55C5D02276E4011B27A91AEEF3AE6B43D827CC61E6D2E933A5 E8C0601A0E25B434402F8AB9C04855F06794436D592FBE922ED027A37B285207C30F63A25115433DA1F8499CB8B5A09D945981489C18CED798944B873E 37DA5200793F2F5283A3BA2704 Bob's key = F2FFD37A8934C66480E43F126DC9EB79CBD4F82ACC0686434407A83AFCCC467FDDD50B5C5DCE74CCE490027033E411701F80C62DE0F9 BFC1611DBD2F1249C3ACC13E724AFBFC10120F57DC304DD6EF7A972DBA33C5008776486ACAF4A0EE5AB2958E8585A0A94BF7E77805DED664956532DBDC BA4602C2AD1791C917F9CFDF19 A-B s3a Bob fails to process Alice's step 3a 2071080376:error:3106706A:lib(49):JPAKE_STEP3A_process:hash of hash of key mismatch:USRDSK:[ZAY.WORK.OPENSSL-100-STABLE-SN AP-20100125.CRYPTO.JPAKE]JPAKE.C;1:443: 4. igetest - exe does not exists at all. We're not building at all? 5. I have suggested earlier and sent a patch for using the second (currently empty, unused) parameter for configuring 32 or 64 bit pointer size. I still think that it would be useful to have. $! $! Check To See If P2 Is Blank. $! $ IF (P2.EQS.32) $ THEN $POINTER_SIZE = 32 $ ELSE $ IF (P3.EQS.64) $ THEN $ POINTER_SIZE = 64 $ ELSE $! $!Tell The User Entered An Invalid Option.. $! $ WRITE SYS$OUTPUT $ WRITE SYS$OUTPUT The Option ,P2, Is Invalid. The Valid Options Are: $ WRITE SYS$OUTPUT $ WRITE SYS$OUTPUT 32 : Compile with 32 bit pointer size $ WRITE SYS$OUTPUT 64 : Compile with 64 bit pointer size $ WRITE SYS$OUTPUT $! $!Time To EXIT. $! $ GOTO TIDY $! $! End The Valid Argument Check. $! $ ENDIF $ ENDIF $! End The P2 Check. ... and further down add this to compiler flags: $! Write The [.CRYPTO.ARCH]BUILDINF.H File. $! $ WRITE H_FILE #define CFLAGS /pointer_size=''POINTER_SIZE'/float=g /* compiler flags */ Regards, Z -Original Message- From: Richard Levitte [mailto:rich...@levitte.org] Sent: den 25 januari 2010 01:26 To: openssl-dev@openssl.org; s...@antinode.info Subject: Re: OpenSSL 1.0.0 beta5 release v. VMS For VMS folks, please have a look at upcoming snapshots. I've applied the recent changes suggest by Steven M. Schweda s...@antinode.info and changed test/CAtsa.cnf following his comments on the use of $ENV::HOME there... I have performed no tests yes following the changes, so I do not know what the result will be. I'll keep on working on this in the week that follows. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html
Re: OpenSSL 1.0.0 beta5 release
Problem (small) with x86_64: asm/x86_64-gcc.c:102:1: warning: sqr redefined Probably a missing #undef sqr in crypto/bn/asm/x86_64-gcc.c:64 Best, -- Emanuele Cesena emanuele.ces...@gmail.com Il corpo non ha ideali smime.p7s Description: S/MIME cryptographic signature
RE: *****SPAM(4.2)***** [openssl.org #2086] Resolved: problem with bufferoverflowu.lib on x64 VS2008
Appears to be fixed in 1.0.0 tree; but 0.9.8m-beta still has part of the problem because it didn't get the remove duplicate code part of e.g. http://cvs.openssl.org/chngview?cn=18895 . -- - Ariel Salomon / Security Lead, Senior Software Engineer Real-Time Innovations (RTI) / www.rti.com 408 990-7439 / ar...@rti.com RTI - The Real-Time Middleware Experts -Original Message- From: Andy Polyakov via RT [mailto:r...@openssl.org] Sent: Thursday, January 07, 2010 3:07 AM To: Ariel Salomon Subject: *SPAM(4.2)* [openssl.org #2086] Resolved: problem with bufferoverflowu.lib on x64 VS2008 According to our records, your request has been resolved. If you have any further questions or concerns, please respond to this message. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org