Re: Building openssl 0.9.7 on sunos 4.1.3_U1
In message [EMAIL PROTECTED] on Thu, 15 Aug 2002 19:17:27 -0700 (PDT), Doug Kaufman [EMAIL PROTECTED] said: dkaufman I recently tried to build the August 9th snapshot of openssl 0.9.7 on dkaufman a sun sparc machine running sunos 4.1.3_U1. This failed in several dkaufman areas. Here are the changes I made to allow it to compile, but I am dkaufman not sure that these are the correct fixes. The main problems: this dkaufman version of sunos doesn't have strtoul and doesn't define sig_atomic_t dkaufman anywhere. Also sys/ioctl.h should not be included in ui_openssl.c. dkaufman I wasn't sure which define to use to identify this version of sunos. dkaufman I presume that these changes don't apply to Solaris, but I don't have dkaufman a Solaris machine available to me to check. This patch uses (sun). dkaufman The choices defined by gcc are: -Dsparc -Dsun -D__sparc__ -D__sun__ dkaufman -D__sparc -D__sun. Is one of these more appropriate for the patch? The best thing would probably be to insert an identifying name in the $sys_id field of the sunos-gcc target (I assume that's the one you got to use, right?). dkaufman Is defining strtoul as (unsigned long)strtol acceptable for the one dkaufman place in the code where this function is used, or does a strtoul dkaufman function have to be written to be used here? I know that there is I *think* that's acceptable. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #225] OpenSSL Security Advisory (30 July 2002), recompiling application s using OpenSSL, enhancement request
Dear Sirs, I have read your OpenSSL Security Advisory (30 July 2002), where there is the recommendation to upgrade to OpenSSL 0.9.6e for those using 0.9.6d and earlier. We are using OpenSSL version 0.9.6a-9 and OpenSSH version 2.9p1-7. The OS is SuSE - Linux 7.2 (i386) You recommend also recompiling all applications using OpenSSL to provide SSL or TLS. I would like you to tell me what exactly is meant by recompilation. Do I have to download the source code for OpenSSH (since I had already OpenSSH installed on the system as binary package) and compile again to take SSL or whatever changes in effect? Any help would be greatly appreciated. Thanks in Advance for your kind support Best Regards, Bengi Ako __ Unix System Administrator Bundesdruckerei GmbH Kommandantenstr. 15 10958 Berlin - Germany Tel.: +49 - 30 - 25 98 13 89 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #226] Compiling 0.9.7 with zlib [patch]
I recently tried to compile the August 9th snapshot of openssl 0.9.7 with static zlib enabled. The build failed because Configure only adds -lz for dynamic zlib. I think that this patch fixes the problem. Doug --- openssl-0.9.7-beta3/Configure.orig Thu Aug 1 14:06:26 2002 +++ openssl-0.9.7-beta3/Configure Mon Aug 12 17:55:20 2002 @@ -1070,7 +1070,7 @@ { $cflags = -DZLIB $cflags; $cflags = -DZLIB_SHARED $cflags if $zlib == 2; - $lflags = $lflags -lz if $zlib == 2; + $lflags = $lflags -lz } # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org __ Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #226] Compiling 0.9.7 with zlib [patch]
In message [EMAIL PROTECTED] on Thu, 15 Aug 2002 18:53:11 -0700 (PDT), Doug Kaufman [EMAIL PROTECTED] said: dkaufman I recently tried to compile the August 9th snapshot of openssl 0.9.7 dkaufman with static zlib enabled. The build failed because Configure only adds dkaufman -lz for dynamic zlib. I think that this patch fixes the problem. dkaufman Doug dkaufman dkaufman --- openssl-0.9.7-beta3/Configure.origThu Aug 1 14:06:26 2002 dkaufman +++ openssl-0.9.7-beta3/Configure Mon Aug 12 17:55:20 2002 dkaufman @@ -1070,7 +1070,7 @@ dkaufman { dkaufman $cflags = -DZLIB $cflags; dkaufman $cflags = -DZLIB_SHARED $cflags if $zlib == 2; dkaufman - $lflags = $lflags -lz if $zlib == 2; dkaufman + $lflags = $lflags -lz dkaufman } dkaufman dkaufman # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org Almost correct. -lz should only be added when $zlib == 1. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #226] Compiling 0.9.7 with zlib [patch]
This ticket is resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #220] bug in config (openssl-0.9.6g, Solaris2.6)
Note that the solaris-sparcv9-cc and solaris-sparcv9-gcc configurations actually use just sparcv8plus code (32 bit); see Configure. I did not know that, since I looked at config only, but not at Configure. But still: is it assured that every sun4u machine has the sparcv8plus instruction set? If not, then the patch is still required as the isalist manpage says: Programs compiled for instruction sets that do not appear in the list will most likely experience perfomance degradation or not run at all on this machine. Only the solari64-sparcv9-... configuration really needs sparcv9. This is on a sun4u machine with 32-bit OS only: $ isalist sparcv8plus+vis sparcv8plus sparcv8 sparcv8-fsmuld sparcv7 sparc solaris-sparcv9-cc or ...-gcc are the configurations that should be used on this machine. Do you have a sun4u machine on which the solaris-sparcv9-cc/gcc code actually fails? I compiled OpenSSL straightaway for sparv8 since I was scared by the isalist manpage (s. above). I agree. Please try the attached patch The patch should not be necessary (and should probably be reverted in the CVS). __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #228] Windows: ASN1 time routine can cause core dump (0.9.6g)
Hello all Unchecked return from gmtime in ASN1 time set routine can cause core dump on Windows I found this problem when debugging 'nmake test' for Net::SSLeay. openssl is called: openssl.exe req -config examples/req.conf -x509 -days 36500 -new -keyout examples/key.pem Those hundred years in the -days argument seem to bee too much for Windows. The time value t in the ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) function (in crypto/asn1/a_utctm.c:192) runs over into the negative (0xf954fcaf). The subsequent call to ts=gmtime(t); returns a NULL pointer. This pointer doesn't get checked and the following call to sprintf(p,%02d%02d%02d%02d%02d%02dZ,ts-tm_year%100, ts-tm_mon+1,ts-tm_mday,ts-tm_hour,ts-tm_min,ts-tm_sec); dumps core. (Well, the system croaks up an 'access violation') I recommend checking the return from gmtime and using an error exit on NULL. Stack trace: ASN1_UTCTIME_set(asn1_string_st * 0x008b0d70, long 0xf954fcaf) line 260 + 3 bytes X509_time_adj(asn1_string_st * 0x008b0d70, long 0xbbf81e00, long * 0x) line 657 + 22 bytes X509_gmtime_adj(asn1_string_st * 0x008b0d70, long 0xbbf81e00) line 645 + 15 bytes req_main(int 0x, char * * 0x00892a88) line 725 + 30 bytes do_cmd(lhash_st * 0x008adbf8, int 0x0009, char * * 0x00892a64) line 236 + 14 bytes main(int 0x0009, char * * 0x00892a64) line 155 + 20 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e97d08() My system: Windows 2000 SP2 on Intel Pentium Compiler Visual C++ V6 SP4 openssl version -a : OpenSSL 0.9.6g 9 Aug 2002 built on: Wed Aug 14 13:54:34 2002 platform: VC-WIN32 options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(idx) compiler: cl /W3 /WX /Zi /Yd /Od /nologo -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32 /MTd -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll Thanks for your work! Marcel Bucher [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Increasing the struct_ref member of engine_st
While some OpenSSL objects (DH, DSA, RSA) offer an *_up_ref function to increase the reference count, others have their internal structure publicly available (EVP_PKEY, X509, etc), so you can use CRYPTO_add() to increase the reference count. In the process of writing wrapper classes for various OpenSSL functions, I noticed that ENGINE (engine_st from eng_int.h respectively) is one of the few structures where a developer can not increase the structural reference count. Would anybody mind a little function like ENGINE_up_ref()? It would help *me* a great deal, and I'd be happy to supply a patch. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #223] Length error in EVP_DecodeBlock
How about adding a high-level function in 0.9.7 a la SHA1() and MD5(), for example EVP_Decode() and EVP_Encode()? I suspect that a majority if base 64 encodes/decodes are on a single chunk so the Init/Update/Final/defining EVP context mechanism is overkill at the app level. Chris Brook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte via RT Sent: Thursday, August 15, 2002 5:15 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #223] Length error in EVP_DecodeBlock [[EMAIL PROTECTED] - Wed Aug 14 22:36:47 2002]: EVP_DecodeBlock() [in crypto/evp/encode.c] returns the length of the result of the base-64 decode. However this length is not the true length of the result but includes any trailing fills ('=') so it's always 0 mod 3. This obviously can cause errors in any processing on the result, e.g. decryption. I would suggest that adding something like: while (*--f == '=') --ret; immediately before the return(ret); would solve the problem. Well, depends. If you consider that EVP_DecodeBlock() really just is a helper function for EVP_DecodeUpdate(), the implementation is correct, and you're change would actually break EVP_DecodeUpdate() as well as any call to EVP_DecodeBlock() that expects the current behavior. You see, EVP_DecodeUpdate() checks for the final '=' and decreases the final length accordingly. You need to do the same. This ticket is resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #200] wrong URL for rt in README for 0.9.7-beta3
[[EMAIL PROTECTED] - Tue Aug 6 17:38:38 2002]: nexus@thune[4:34pm]src/openssl/openssl-0.9.7-beta3(539) grep rt2.html README (http://www.openssl.org/rt2.html) by mail to: should be org/support/rt2 Thanks, fixed. Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #212] SSL_CTX_flush_sessions() must be called before SSL_CTX_free().
[jaenicke - Tue Aug 13 15:16:11 2002]: On Mon, Aug 12, 2002 at 06:44:26PM +0200, Geoff Thorpe via RT wrote: I think it's unlikely, but I'd guess off the top of my head that something like the following would be less risky; if (a-sessions != NULL) SSL_CTX_flush_sessions(a,0); CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,a-ex_data); if (a-sessions != NULL) lh_free(a-sessions); Makes sense to me. I consider this to be a bugfix, such that it might make its way into 0.9.6-stable and later. Applied for 0.9.6 and later. Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #202] Help
[[EMAIL PROTECTED] - Thu Aug 8 09:43:45 2002]: I'm trying to install open-ssh 34p1 on an Aix server, running 4.3.3.. I compiled openssh 0.9.6d and zlib 1.1.4. on the server , and also created the a bff pancake using the contrib/aix/buildbff.sh script. I can't start sshd either installing it as a package or without. When I tried to start sshd I received the following error: 0509-036 Cannot load program /.sshd because of the following errors: 0509-150 Dependent module /usr/local/lib/libcrypto.a/libcrypto.so) could not be loaded. 0509-152 Member libcrypto.so is not found in archive This does not make sense. libcrypto.a is the static library, libcrypto.so is the dynamic one, but they are not part of each other. Please ask the package maintainers or consider asking at the openssh-unix-dev mailing list or in an AIX forum. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]