Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2010-01-25 Thread Maarten.Litmaath 

Hi Steve,


Do you also agree with David's proposal to change the calls to
BIO_ctrl(, BIO_CTRL_INFO, ) into BIO_wpending() in ssl/*.c?  It seems
to
make sense to me.



Yes, I've applied it to all branches now. Many thanks David. Ticket
resolved.



Just a postscript to the issue. The above minimal fix was applied to
OpenSSL but the lack of a corresponding Apache fix has resulted in some
problems, not least of which is renegotiation not working because the
server hello request is not flushed.

As a result the OpenSSL change has been updated to call BIO_CTRL_INFO
and if that returns zero BIO_CTRL_WPENDING. This should now cover all cases.


Thanks for that fix and for informing us.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: [openssl.org #2152] FIPS Support

2010-01-25 Thread Paul Spencer 
Thank you!

Paul

-Original Message-
From: Martin Paljak [mailto:martin.pal...@gmail.com] On Behalf Of Martin
Paljak
Sent: Saturday, January 23, 2010 2:08 PM
To: openssl-dev@openssl.org
Cc: Paul Spencer
Subject: Re: [openssl.org #2152] FIPS Support


On Jan 23, 2010, at 19:19 , Stephen Henson via RT wrote:

 [paul.spen...@aepnetworks.com - Sat Jan 23 14:15:49 2010]:
 
 When will the OpenSSL community update the FIPS Module for v1.2 to
meet
 the new FIPS requirements that will be enforced by the end of this
year?
 
 Are you aware of the new requirements for Cryptographic Algorithms
and
 Key Sizes coming at the end of 2010 and do you have plans for them?
 
 
 We are fully aware of the new requirements. The current situation is
 documented here:
 
 http://www.openssl.org/docs/fips/fipsnotes.html

I assume there's a minor typo on that page:

The CMVP test lab and filing fees are more than pocket change
(~USD$25,00 and up) and beyond the financial resources of the OSF. 

Commas and zeros probably don't match the intended value.


-- 
Martin Paljak
http://martin.paljak.pri.ee
+3725156495
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

CRL memory usage

2010-01-25 Thread Vinod.Chaudhary 

Hi,

I want to know the memory usage of CRL file prior to loading ?

Basically after call to function d2i_X509_CRL_bio to load large CRL 
file, my free memory goes down drastically. I understand this behavior 
because openssl allocate the memory to load CRL.


I want to understand how this memory is allocated, is it depend on 
number of revoked entry into CRL file ? How much memory is allocated per 
entry ?


*Regards,*

*Vinod Chaudhary | *Embedded Engineer,
eInfochips Limited, Ahmedabad, India
Phone: (O) +91-79-26400801 x 132 | (C) +91-9879181944
Website: www.einfochips.com blocked::http://www.einfochips.com/


--
_
Disclaimer: This e-mail message and all attachments transmitted with it
are intended solely for the use of the addressee and may contain legally
privileged and confidential information. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution, copying, or other use of
this message or its attachments is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
replying to this message and please delete it from your computer. Any
views expressed in this message are those of the individual sender
unless otherwise stated.Company has taken enough precautions to prevent
the spread of viruses. However the company accepts no liability for any
damage caused by any virus transmitted by this email.
_

[openssl.org #2154] OpenSSL 0.9.8 on UnixWare

2010-01-25 Thread Tim Rice via RT 

CVS OpenSSL_0_9_8-stable pulled 20 Jan 2010

On UnixWare 7.1.4 w/ MP4, OpenSSL 0.9.8 builds and tests fine with both
static and dynamic libs.
.
OpenSSL 0.9.8m-dev 20 Jan 2010
built on: Sat Jan 23 18:42:02 PST 2010
platform: unixware-7
options:  bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) 
blowfish(idx) 
compiler: cc -Kpic -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN 
-DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca 
-DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: /etc/ssl
.


On UnixWare 7.1.1 w/ MP5, OpenSSL 0.9.8 builds and tests fine with both
static and dynamic libs.
.
OpenSSL 0.9.8m-dev 20 Jan 2010
built on: Sat Jan 23 18:43:24 PST 2010
platform: unixware-7
options:  bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) 
blowfish(idx) 
compiler: cc -Kpic -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN 
-DHAVE_DLFCN_H -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS 
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: /etc/ssl
.


-- 
Tim RiceMultitalents(707) 887-1469
t...@multitalents.net


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 beta5 release v. VMS

2010-01-25 Thread Richard Levitte 
I just had a look at testtsa.com, and yeah, the corresponding shell
script has evolved since testtsa.com was last updated.  Working on it
right now.

Cheers,
Richard

In message 10012423165954_20205...@antinode.info on Sun, 24 Jan 2010 23:16:59 
-0600 (CST), Steven M. Schweda s...@antinode.info said:

sms From: Richard Levitte rich...@levitte.org
sms 
sms  Might be a fault in test/testtsa.com...  I'll see if I can find
sms  something there...
sms 
smsI got some improvement by trying harder to preserve case in some
sms places:
sms 
sms -$  call create_tsa_cert 1 tsa_cert
sms +$  call create_tsa_cert 1 tsa_cert
sms 
sms -$  call create_tsa_cert 2 non_tsa_cert
sms +$  call create_tsa_cert 2 non_tsa_cert
sms 
sms Knowing nothing, I'd guess that the missing TSA_CERT was actually
sms supposed to be tsa_cert.  I normally run with Parse Style: Extended,
sms and that may make me more vulnerable to these things.  Or, it could just
sms be lame DCL.  (Finally, there's a good reason to use:
sms   X = aBc
sms instead of:
sms   X := aBc
sms among other things.)
sms 
sms And correcting some file names:
sms 
sms -$  open/write file VMStsa-response1.create_tsa_cert
sms +$  open/write file VMStsa-response_1.create_tsa_cert
sms 
sms -$  define/user sys$input VMStsa-response.create_tsa_cert
sms +$  define/user sys$input VMStsa-response_1.create_tsa_cert
sms 
sms -$  open/write file VMStsa-response2.create_tsa_cert
sms +$  open/write file VMStsa-response_2.create_tsa_cert
sms 
sms -$  define/user sys$input VMStsa-response.create_tsa_cert
sms +$  define/user sys$input VMStsa-response_2.create_tsa_cert
sms 
sms Creating a file named one thing and then using a file named some other
sms thing looked suspicious to me.
sms 
smsThe next problem I saw in that test:
sms 
sms unable to load certificates: ./tsaca.pem
sms 
sms seems to be an inability to find a file specified in the .cnf file:
sms 
sms certs   = $dir/tsaca.pem
sms 
sms The shell script seems to say things like -out tsaca.pem -keyout
sms tsacakey.pem, while the DCL never mentions tsaca.pem.  Either more
sms code theft or else less would seem to be in order here.
sms 
sms 
sms 
smsSteven M. Schweda   s...@antinode-info
sms382 South Warwick Street(+1) 651-699-9818
smsSaint Paul  MN  55105-2547
sms __
sms OpenSSL Project http://www.openssl.org
sms Development Mailing List   openssl-dev@openssl.org
sms Automated List Manager   majord...@openssl.org

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte rich...@levitte.org
http://richard.levitte.org/

Life is a tremendous celebration - and I'm invited!
-- from a friend's blog, translated from Swedish
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2155] [Bug report] OpenSSL 1.0.0 64-bit build fails under MSVC

2010-01-25 Thread Big Muscle via RT 

I’m trying to build version 1.0 (doesn’t depend which beta snapshot, 0.9.8l is 
ok) under MS Visual Studio 2008 and it fails if building 64-bit version (switch 
VC-WIN64A). 32-bit builds ok, also 64-bit with “no-asm” builds ok, but it is 
about 4x slower which is unacceptable for our application. OS is Windows 7 
Professional x64, CPU AMD Athlon II X4 620.

The 64-bit build ends up with following errors:

Microsoft (R) Macro Assembler (x64) Version 9.00.30729.01 Copyright (C) 
Microsoft Corporation.  All rights reserved.

 Assembling: tmp32.dbgaes-x86_64.asm
tmp32.dbgaes-x86_64.asm(2197) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2198) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2199) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2200) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2491) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2492) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2525) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2526) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2559) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2560) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2593) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2594) : error A2206:missing operator in expression
tmp32.dbgaes-x86_64.asm(2624) : error A2075:jump destination too far : by 31 by
te(s)
tmp32.dbgaes-x86_64.asm(2631) : error A2075:jump destination too far : by 11 by
te(s)
NMAKE : fatal error U1077: 'C:Program Files (x86)Microsoft Visual Studio 9.0 
VCBINx86_amd64ml64.EXE' : return code '0x1'
Stop.


-
Big Muscle

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.0 beta5 release v. VMS

2010-01-25 Thread Steven M. Schweda 
From: Richard Levitte rich...@levitte.org

 I just had a look at testtsa.com, and yeah, the corresponding shell
 script has evolved since testtsa.com was last updated.  Working on it
 right now.

   Skipping that one, ...

ALP $ @ tests test_ige
Test IGE mode
%DCL-W-ACTIMAGE, error activating image SYS$DISK:[-.ALPHA.EXE.TEST]IGETEST
-CLI-E-IMAGEFNF, image file not found ALP$DKA0:[UTILITY.SOURCE.OPENSSL.OPENSSL-1
^.0^.0-BETA5.ALPHA.EXE.TEST]IGETEST.EXE;


ALP $ @ tests test_jpake
Test JPAKE
[...]
A-B s3a
Bob fails to process Alice's step 3a
2075840056:error:3106706A:lib(49):JPAKE_STEP3A_process:hash of hash of key misma
tch:ALP$DKA0:[UTILITY.SOURCE.OPENSSL.openssl-1^.0^.0-beta5.crypto.jpake]jpake.c;
1:443:


ALP $ @ tests test_cms
CMS consistency test
Can't find OpenSSL executable at cms-test.pl line 68.
%RMS-F-SYN, file specification syntax error



   Steven M. Schweda   s...@antinode-info
   382 South Warwick Street(+1) 651-699-9818
   Saint Paul  MN  55105-2547
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2153] OpenSSL 1.0.0 on UnixWare

2010-01-25 Thread Tim Rice via RT 
On Sun, 24 Jan 2010, The default queue via RT wrote:

 
 CVS OpenSSL_1_0_0-stable pulled 20 Jan 2010
 
 On UnixWare 7.1.4 w/ MP4, If I build OpenSSL without static libs it
 builds and tests fine.
 .
 ALL TESTS SUCCESSFUL.
   OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
 OpenSSL 1.0.0-beta6-dev 20 Jan 2010
 built on: Sat Jan 23 11:10:13 PST 2010
 platform: unixware-7
 options:  bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int) 
 blowfish(idx) 
 compiler: cc -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H 
 -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS 
 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM 
 -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
 OPENSSLDIR: /etc/ssl
 .
 
 If I add the shared option to config it will build but tests fail.
 .
 enveloped content test streaming S/MIME format, 3 recipients, keyid: OK
 enveloped content test streaming PEM format, KEK: verify error
 *** Error code 1 (bu21)
 UX:make: ERROR: fatal error.
 .

It looks like I've uncovered a compiler optimization bug.
If I remove the -Kpentium_pro option all test pass.
..
ALL TESTS SUCCESSFUL.
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.0-beta6-dev 20 Jan 2010
built on: Mon Jan 25 09:09:25 PST 2010
platform: unixware-7
options:  bn(64,32) rc4(1x,char) des(ptr,risc1,16,long) idea(int) blowfish(idx) 
compiler: cc -Kpic -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN 
-DHAVE_DLFCN_H -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS 
-DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM 
-DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: /etc/ssl
..
For reference
   Optimizing C Compilation System  (CCS) 4.2  05/13/08 (uw714mp4.bl3h)

Now I need to come up with a small reproducable test case and report it
to the vendor.

-- 
Tim RiceMultitalents(707) 887-1469
t...@multitalents.net



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL 1.0.0 beta5 release v. VMS

2010-01-25 Thread Arpadffy Zoltan 
Hello,

I have downloaded openssl-1.0.0-stable-SNAP-20100125.tar.gz and tested and it 
looks much better then earlier.
Thank you.

However there are still some issues left with tests.

1. in .testtests.com sslroot definition does not work

$  sslroot = f$parse(sys$disk:[-.apps];syntax_only) - ].;+ .]
$  define /translation_attributes = concealed sslroot 'sslroot'

I have been forced to do it on more old fashioned way in order to get this work

$   ROOT = F$PARSE(__here,[]A.;0,,,SYNTAX_ONLY,NO_CONCEAL) - A.;0
$   ROOT_DEV = F$PARSE(ROOT,,,DEVICE,SYNTAX_ONLY)
$   ROOT_DIR = F$PARSE(ROOT,,,DIRECTORY,SYNTAX_ONLY) -
   - .][00 - [00. - ][ - [ - ] - .TEST
$   ROOT = ROOT_DEV + [ + ROOT_DIR
$   DEFINE/NOLOG SSLROOT 'ROOT'.APPS.] /TRANS=CONC 

2. there are still problems with testtsa.com but Richard works on that if I 
understood correctly.

Using configuration from [-]CATSA.CNF
Error Loading extension section TSA_CERT
2071080376:error:02001002:system library:fopen:no such file or 
directory:USRDSK:[ZAY.WORK.OPENSSL-100-STABLE-SNAP-20100125
.CRYPTO.BIO]BSS_FILE.C;1:126:fopen('./demoCA/index.txt-attr','r')

3. Manually started JPAKETEST fails!!!

TITAN2_ZAY $ mc 
USRDSK:ZAY.WORK.OPENSSL-100-STABLE-SNAP-20100125.IA64.EXE.TESTJPAKETEST.EXE
p = 
F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED4
4FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D
2E1A2F71D99F763F
g = 2
q = 
7CF2D9B2B32F53D02D4E29A2813C07F7378D5ADEA7A4CA3FE81B6DEBF482934D7A37794587E03A43F727AE907D9E057C738079D17D1A0A4B865F6A
27F6FFC0673C6C0078C25DC121AE89BD56D16360B291923C98531DC2B30E8FE40BD28D66CB0B474AC4C50FC1D3CFFDA949B4553C19D5E8D861D76ED8A6
970D17B8ECCFBB1F
A-B s1
B-A s1
A-B s2
B-A s2
Alice's key = 
3722C81D780857B4AAE63D109950698938A846C11E616ED29419A986C6D813E35F6969F9B2C70DD399437978DEAE71606425ADF08D7D
3459B0D8EB19B21D732A038A478B0BAF7A818E5266D75A1097D3F43384D6A9F2DD774AB67D282DF907DD2519F2A5185792DAE8C742BD4D4E91340DDBB0
8956856284831D9E3C475BF150
Bob's key   = 
3722C81D780857B4AAE63D109950698938A846C11E616ED29419A986C6D813E35F6969F9B2C70DD399437978DEAE71606425ADF08D7D
3459B0D8EB19B21D732A038A478B0BAF7A818E5266D75A1097D3F43384D6A9F2DD774AB67D282DF907DD2519F2A5185792DAE8C742BD4D4E91340DDBB0
8956856284831D9E3C475BF150
A-B s3a
B-A s3b
A-B s1
B-A s1
A-B s2
B-A s2
Alice's key = 
A7F469FF38ED3BA3225E1B05A8B44F3643A9128E4E0D2E225744CD58DE55C5D02276E4011B27A91AEEF3AE6B43D827CC61E6D2E933A5
E8C0601A0E25B434402F8AB9C04855F06794436D592FBE922ED027A37B285207C30F63A25115433DA1F8499CB8B5A09D945981489C18CED798944B873E
37DA5200793F2F5283A3BA2704
Bob's key   = 
F2FFD37A8934C66480E43F126DC9EB79CBD4F82ACC0686434407A83AFCCC467FDDD50B5C5DCE74CCE490027033E411701F80C62DE0F9
BFC1611DBD2F1249C3ACC13E724AFBFC10120F57DC304DD6EF7A972DBA33C5008776486ACAF4A0EE5AB2958E8585A0A94BF7E77805DED664956532DBDC
BA4602C2AD1791C917F9CFDF19
A-B s3a
Bob fails to process Alice's step 3a
2071080376:error:3106706A:lib(49):JPAKE_STEP3A_process:hash of hash of key 
mismatch:USRDSK:[ZAY.WORK.OPENSSL-100-STABLE-SN
AP-20100125.CRYPTO.JPAKE]JPAKE.C;1:443:

4. igetest - exe does not exists at all. We're not building at all?

5. I have suggested earlier and sent a patch for using the second (currently 
empty, unused) parameter for configuring 32 or 64 bit pointer size. 
I still think that it would be useful to have.

$!
$! Check To See If P2 Is Blank.
$!
$ IF (P2.EQS.32)
$ THEN
$POINTER_SIZE = 32
$ ELSE
$   IF (P3.EQS.64)
$   THEN
$ POINTER_SIZE = 64
$   ELSE
$!
$!Tell The User Entered An Invalid Option..
$!
$ WRITE SYS$OUTPUT 
$ WRITE SYS$OUTPUT The Option ,P2, Is Invalid.  The Valid Options Are:
$ WRITE SYS$OUTPUT 
$ WRITE SYS$OUTPUT 32  :  Compile with 32 bit pointer size
$ WRITE SYS$OUTPUT 64  :  Compile with 64 bit pointer size
$ WRITE SYS$OUTPUT 
$!
$!Time To EXIT.
$!
$ GOTO TIDY
$!
$!  End The Valid Argument Check.
$!
$   ENDIF
$ ENDIF
$! End The P2 Check. 

... and further down add this to compiler flags:
$! Write The [.CRYPTO.ARCH]BUILDINF.H File.
$!
$ WRITE H_FILE #define CFLAGS /pointer_size=''POINTER_SIZE'/float=g /* 
compiler flags */


Regards, 
Z

-Original Message-
From: Richard Levitte [mailto:rich...@levitte.org] 
Sent: den 25 januari 2010 01:26
To: openssl-dev@openssl.org; s...@antinode.info
Subject: Re: OpenSSL 1.0.0 beta5 release v. VMS

For VMS folks, please have a look at upcoming snapshots.  I've applied
the recent changes suggest by Steven M. Schweda s...@antinode.info
and changed test/CAtsa.cnf following his comments on the use of
$ENV::HOME there...

I have performed no tests yes following the changes, so I do not know
what the result will be.  I'll keep on working on this in the week
that follows.

Cheers,
Richard

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html

Re: OpenSSL 1.0.0 beta5 release

2010-01-25 Thread Emanuele Cesena 
Problem (small) with x86_64:

asm/x86_64-gcc.c:102:1: warning: sqr redefined

Probably a missing
#undef sqr
in crypto/bn/asm/x86_64-gcc.c:64

Best,
-- 
Emanuele Cesena emanuele.ces...@gmail.com

Il corpo non ha ideali


smime.p7s
Description: S/MIME cryptographic signature

RE: *****SPAM(4.2)***** [openssl.org #2086] Resolved: problem with bufferoverflowu.lib on x64 VS2008

2010-01-25 Thread Ariel Salomon via RT 

Appears to be fixed in 1.0.0 tree; but 0.9.8m-beta still has part of the 
problem because it didn't get the remove duplicate code part of e.g. 
http://cvs.openssl.org/chngview?cn=18895 .

--
 - Ariel Salomon / Security Lead, Senior Software Engineer
Real-Time Innovations (RTI) / www.rti.com
408 990-7439 / ar...@rti.com

RTI - The Real-Time Middleware Experts

 -Original Message-
 From: Andy Polyakov via RT [mailto:r...@openssl.org]
 Sent: Thursday, January 07, 2010 3:07 AM
 To: Ariel Salomon
 Subject: *SPAM(4.2)* [openssl.org #2086] Resolved: problem with
 bufferoverflowu.lib on x64 VS2008

 According to our records, your request has been resolved. If you have any
 further questions or concerns, please respond to this message.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org