Re: seed in RSA_public_encrypt and others
Xinwen Fu wrote: Hi, In the man page of RSA_public_encrypt, it says The random number generator must be seeded prior to calling RSA_public_encrypt() yes, (pseudo) random numbers are needed for the pkcs1 padding Does this mean that each time I use RSA_public_encrypt(), I need to use RAND_seed() to seed the The random number generator? For example, if RSA_public_encrypt() is invoked in a loop, should RAND_seed() also be in the loop? normally it should be sufficient to set the prng once Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] misuse of SSL_CTX_load_verify_locations
Following command always fails. I believe the behaviour is not what we want. I attached a patch against s_client, s_server and s_time. Other commands might also be suffered from the safe problem. openssl s_client -verify 0 -connect somewhere diff -Nru openssl-SNAP-20040330.orig/apps/s_client.c openssl-SNAP-20040330/apps/s_client.c --- openssl-SNAP-20040330.orig/apps/s_client.c Fri Nov 28 23:00:09 2003 +++ openssl-SNAP-20040330/apps/s_client.c Tue Mar 30 19:22:45 2004 @@ -502,7 +502,8 @@ if (!set_cert_stuff(ctx,cert_file,key_file)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || + if ((!(CAfile == NULL CApath == NULL) + !SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,error setting default verify locations\n); */ diff -Nru openssl-SNAP-20040330.orig/apps/s_server.c openssl-SNAP-20040330/apps/s_server.c --- openssl-SNAP-20040330.orig/apps/s_server.c Fri Nov 28 23:00:09 2003 +++ openssl-SNAP-20040330/apps/s_server.c Tue Mar 30 19:23:13 2004 @@ -814,7 +814,8 @@ } #endif - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || + if ((!(CAfile == NULL CApath == NULL) + !SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,X509_load_verify_locations\n); */ diff -Nru openssl-SNAP-20040330.orig/apps/s_time.c openssl-SNAP-20040330/apps/s_time.c --- openssl-SNAP-20040330.orig/apps/s_time.cSun Dec 28 00:00:40 2003 +++ openssl-SNAP-20040330/apps/s_time.c Tue Mar 30 19:22:14 2004 @@ -476,7 +476,8 @@ SSL_load_error_strings(); - if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || + if ((!(CAfile == NULL CApath == NULL) + !SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(tm_ctx))) { /* BIO_printf(bio_err,error setting default verify locations\n); */
Re: bug in 0.9.7d (on alpha/Tru64 UNIX V4.0F)
Robert Urban wrote: I'm wondering if the following but has been found and fixed. If so, I'd really like to know about it. backtrace: - stunnel dies on a SIGSEGV We have a similar problem on a SOLARIS/SPARC machine. A workaround is the removal of the calls of ENGINE_load_builtin_engines and ENGINE_register_all_complete at the beginning of the function context_init in ssl.c of the stunnel sources. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: bug in 0.9.7d (on alpha/Tru64 UNIX V4.0F)
You wrote: Robert Urban wrote: I'm wondering if the following but has been found and fixed. If so, I'd really like to know about it. backtrace: - stunnel dies on a SIGSEGV We have a similar problem on a SOLARIS/SPARC machine. A workaround is the removal of the calls of ENGINE_load_builtin_engines and ENGINE_register_all_complete at the beginning of the function context_init in ssl.c of the stunnel sources. My workaround was to turn off all support for hardware encryption devices. (./config no-hw). If I can contribute any additional information please let me know. I could even set up access (ssh) to the alpha in question. Rob Urban __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA_generate_key with BIGNUM exponent
Hi there, On March 29, 2004 04:26 am, Jelte Jansen wrote: [snip] Because I don't like to come empty-handed I took the liberty of supplying a patch with a possible extension: rsa_gen.c gets another function: RSA * RSA_generate_key_bignum_exponent(int bits, BIGNUM *e,void (*callback)(int,int,void *),void *cb_arg); [snip] Might it be worthy of inclusion (or something else with the same expansion) in a future release of openssl? I took a quick look but one immediate problem springs to mind, it's a patch against 0.9.7[d]. This kind of change is not going to be possible for stable release branches, so you'd need to look at the head of CVS (or download a recent nightly snapshot from the website). For one thing, I moved the key-generation functionality into the RSA_METHOD since 0.9.7 was branched off, so if you want to migrate the public exponent parameter from word-BIGNUM, you'd need to change it up at that level and work backwards from there. Note, if you do this, don't worry about adding a second handler to RSA_METHOD, just modify the one that's there (it hasn't been released yet so compatibility isn't an issue). You would still need to leave the API as it is though, so adding another API function remains necessary (deprecating the old one would make sense, but I can worry about this afterwards if you want). Otherwise, the idea seems logical enough to me. If you want to update the patch, please submit it to the request-tracker and assign it to me if you like. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #862] BUG: null pointer exception in openssl 0.9.7d ca command
OpenSSL version: output of 'openssl version -a' OpenSSL 0.9.7d 17 Mar 2004 built on: Thu Mar 25 21:53:07 2004 platform: VC-WIN32 options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea (int) blowfish(idx) compiler: cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo - DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll - DOPENSSL_NO_KRB5 OPENSSLDIR: /usr/local/ssl OS Name, Version, Hardware platform Windows XP Professional Version 5.1 (Build 2600.xpsp2.030422-1633 : Service Pack 1) Compiler Details (name, version) Microsoft Visual C++ .NET (Visual Studio .NET 2003) - Application Details (name, version) openssl.exe ca command - Problem Description (steps that will reproduce the problem, if known) 1. Run the openssl ca command. openssl ca -config openssl.cnf -out mycert -notext -batch -passin stdin -policy policy_anything -infiles mycsr 2. Type the wrong CA private key when prompted and press enter. 3. openssl prints unable to load CA private key. 4. openssl has an access violation: Unhandled exception at 0x00426156 in openssl.exe: 0xC005: Access violation reading location 0x0004. Stack trace: openssl.exe!free_index(ca_db_st * db=0x) Line 1973 + 0x3 C openssl.exe!ca_main(int argc=1, char * * argv=0x003a4484) Line 1506 + 0x9 C openssl.exe!do_cmd(lhash_st * prog=0x00a44a00, int argc=13, char * * argv=0x003a4454) Line 381 + 0xe C openssl.exe!main(int Argc=13, char * * Argv=0x003a4454) Line 300 + 0x14 C openssl.exe!mainCRTStartup() Line 398 + 0x11 C kernel32.dll!77e814c7() The free_index function was called with argument 1 of 1, db = NULL. void free_index(CA_DB *db) { TXT_DB_free(db-db); OPENSSL_free(db); } - Stack Traceback (if the application dumps core) Stack trace: openssl.exe!free_index(ca_db_st * db=0x) Line 1973 + 0x3 C openssl.exe!ca_main(int argc=1, char * * argv=0x003a4484) Line 1506 + 0x9 C openssl.exe!do_cmd(lhash_st * prog=0x00a44a00, int argc=13, char * * argv=0x003a4454) Line 381 + 0xe C openssl.exe!main(int Argc=13, char * * Argv=0x003a4454) Line 300 + 0x14 C openssl.exe!mainCRTStartup() Line 398 + 0x11 C kernel32.dll!77e814c7() __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #704] PATCH some manpages don't install linsk as expected
I'm having this same problem with openssl 0.9.7d, though I'm not sure how those patches would be applied. David __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: seed in RSA_public_encrypt and others
to use RAND_seed() to seed the The random number generator? For example, if RSA_public_encrypt() is invoked in a loop, should RAND_seed() also be in the loop? normally it should be sufficient to set the prng once For RSA_NO_PADDING, do we need to set the prng? Seems no reason to do it. Xinwen Fu __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #704] PATCH some manpages don't install linsk as expected
David Soares via RT schrieb:, I'm having this same problem with openssl 0.9.7d, though I'm not sure how those patches would be applied. in 0.9.7d most of the errors have been fixed, fixed: patch-doc-crypto-EVP_BytesToKey.pod patch-doc-crypto-EVP_DigestInit.pod patch-doc-crypto-ui.pod open: patch-doc-crypto-des_modes.pod to avoid Space in the finemae of the manpage. I did not check if 0.9.7d can handle spaces now. 0.9.7c created more files e.G.: Modes.3 of.3 DES.3 kind regards Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany - [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] --- doc/crypto/des_modes.pod.orig Tue Mar 5 16:30:13 2002 +++ doc/crypto/des_modes.podTue Sep 30 18:58:27 2003 @@ -2,7 +2,7 @@ =head1 NAME -Modes of DES - the variants of DES and other crypto algorithms of OpenSSL +Modes_of_DES - the variants of DES and other crypto algorithms of OpenSSL =head1 DESCRIPTION __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: seed in RSA_public_encrypt and others
Xinwen Fu wrote: to use RAND_seed() to seed the The random number generator? For example, if RSA_public_encrypt() is invoked in a loop, should RAND_seed() also be in the loop? normally it should be sufficient to set the prng once For RSA_NO_PADDING, do we need to set the prng? Seems no reason to do it. Of course, if you use RSA_NO_PADDING you don't need to set the prng. Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #704] PATCH some manpages don't install linsk as expected
This is a response to both ticket 704 and 856, which I merged together. As of the response below, I can safely say that the issue has been resolved. Thanks for the reports and the reminders :-). [guest - Fri Mar 26 14:10:04 2004]: Sorry for my last double-posting. :-( Happened due to reusing an already opened page. I've checked with the following snapshot: openssl-0.9.7-stable-SNAP-20040326.tar.gz and it now seems to be adequately named as 'Modes_of_DES.7' Thank You! Best Regards, Rolf Sponsel -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #862] BUG: null pointer exception in openssl 0.9.7d ca command
This problem has been fixed not long ago. Please download a recent 0.9. 7 snapshot and look for yourself. I'm resolving this ticket. [guest - Tue Mar 30 18:40:42 2004]: OpenSSL version: output of 'openssl version -a' OpenSSL 0.9.7d 17 Mar 2004 built on: Thu Mar 25 21:53:07 2004 platform: VC-WIN32 options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea (int) blowfish(idx) compiler: cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo - DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll - DOPENSSL_NO_KRB5 OPENSSLDIR: /usr/local/ssl OS Name, Version, Hardware platform Windows XP Professional Version 5.1 (Build 2600.xpsp2.030422-1633 : Service Pack 1) Compiler Details (name, version) Microsoft Visual C++ .NET (Visual Studio .NET 2003) - Application Details (name, version) openssl.exe ca command - Problem Description (steps that will reproduce the problem, if known) 1. Run the openssl ca command. openssl ca -config openssl.cnf -out mycert -notext -batch -passin stdin -policy policy_anything -infiles mycsr 2. Type the wrong CA private key when prompted and press enter. 3. openssl prints unable to load CA private key. 4. openssl has an access violation: Unhandled exception at 0x00426156 in openssl.exe: 0xC005: Access violation reading location 0x0004. Stack trace: openssl.exe!free_index(ca_db_st * db=0x) Line 1973 + 0x3 C openssl.exe!ca_main(int argc=1, char * * argv=0x003a4484) Line 1506 + 0x9C openssl.exe!do_cmd(lhash_st * prog=0x00a44a00, int argc=13, char * * argv=0x003a4454) Line 381 + 0xe C openssl.exe!main(int Argc=13, char * * Argv=0x003a4454) Line 300 + 0x14C openssl.exe!mainCRTStartup() Line 398 + 0x11 C kernel32.dll!77e814c7() The free_index function was called with argument 1 of 1, db = NULL. void free_index(CA_DB *db) { TXT_DB_free(db-db); OPENSSL_free(db); } - Stack Traceback (if the application dumps core) Stack trace: openssl.exe!free_index(ca_db_st * db=0x) Line 1973 + 0x3 C openssl.exe!ca_main(int argc=1, char * * argv=0x003a4484) Line 1506 + 0x9C openssl.exe!do_cmd(lhash_st * prog=0x00a44a00, int argc=13, char * * argv=0x003a4454) Line 381 + 0xe C openssl.exe!main(int Argc=13, char * * Argv=0x003a4454) Line 300 + 0x14C openssl.exe!mainCRTStartup() Line 398 + 0x11 C kernel32.dll!77e814c7() -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #861] [PATCH] add Interix configuration
In the Configure lines, the target interix_gcc_shared is refered to, so it's obvious the patch for Makefile.org is missing, or you didn't quite test everything (in this case, building shared libraries). I'd be happy to apply your patches to the 0.9.7 and 0.9.8-dev branches, as soon as it's complete. [EMAIL PROTECTED] - Mon Mar 29 14:01:30 2004]: Greetings, Enclosed below please find the output of 'diff -u' for the two files Configure and config. The additions listed in these two files add configuration support for Interix. This covers the previous release, 3.0, which did not have pthreads, and the current and likely future releases which do have pthread support. No other changes to files (source or otherwise) are needed. Everything else works just fine. Interix does not ship with OpenSSL. A binary version of OpenSSL for Interix can be installed as a package from http://www.interopsystems.com/tools/warehouse.htm Let me know if there are any questions. thanks Rodney -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #862] BUG: null pointer exception in openssl 0.9.7d ca command
You're right it is definitely fixed in the snapshot. Sorry for the inconvenience. -Fiel __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #853] serial/index file handling broken on Windows in 0.9.7d
Hi Richard, Sorry for the delay. The snapshot from after you asked me to test it the first time (openssl-0.9.7-stable-SNAP-20040327) passed my tests. Thanks, Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte via RT Sent: Wednesday, 31 March 2004 7:15 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [openssl.org #853] serial/index file handling broken on Windows in 0.9.7d Hello, I would very much like to know if my fix worked, so I can close this ticket. [levitte - Thu Mar 25 21:10:19 2004]: I think I fixed the problem by moving the definition of Win32_rename() to the end of apps.c. Please check tomorrow's 0.9.7 snapshot and come back to me with any feedback (even hoorays :-)). [EMAIL PROTECTED] - Mon Mar 22 17:17:44 2004]: Re: openssl-dev thread: New CA index subfiles (.attr, .attr.new, . attr.old, .new) OpenSSL 0.9.7d introduces a bug on Windows in the openssl executable in relation to the renaming of temporary serial and index files. The renames are failing since the special WIN32_rename() function (which removes the destination file before the rename) is not being used on Windows due to the rename macro being undefined before it is used. I think the problem was introduced when the serial/index file handling code was tacked onto the end of apps.c. With similar code in a separate module previously the undef was not having such an effect. I've verified that redefining rename by copying line 140 of apps.h and inserting it after line 353 of apps.c fixes all of the problems with serial and index files that I was experiencing: apps.c:352 #undef rename apps.c:353 return rename(from, to); apps.h:140 #define rename(from,to) WIN32_rename((from),(to)) Regards, Steven -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #853] serial/index file handling broken on Windows in 0.9.7d
In message [EMAIL PROTECTED] on Wed, 31 Mar 2004 12:57:48 +1000, Steven Reddie [EMAIL PROTECTED] said: smr Sorry for the delay. The snapshot from after you asked me to test it the smr first time (openssl-0.9.7-stable-SNAP-20040327) passed my tests. Thanks. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #853] serial/index file handling broken on Windows in 0.9.7d
Steven Reddie has now confirmed, on openssl-dev, that this issue is resolved. Thanks, Steve. Ticket resolved. [levitte - Tue Mar 30 23:14:37 2004]: I would very much like to know if my fix worked, so I can close this ticket. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #9] Re: [patch] Sign certs that aren't self signed for x509 -CA
I'm honestly very unsure about this one. After all, openssl ca already covers this, so I wonder why there's a need to create another way to do the same thing, and add to the confusion on how to do things.. . [EMAIL PROTECTED] - Thu Apr 25 16:20:45 2002]: What about the patch below for 0.9.6d? Doc patch as well: --- x509.pod.orig Mon Jan 14 12:03:55 2002 +++ x509.podMon Jan 14 12:03:35 2002 @@ -43,6 +43,7 @@ [B-CAkey filename] [B-CAcreateserial] [B-CAserial filename] +[B-noselfsign] [B-text] [B-C] [B-md2|-md5|-sha1|-mdc2] @@ -300,7 +301,8 @@ of the CA and it is digitally signed using the CAs private key. This option is normally combined with the B-req option. Without the -B-req option the input is a certificate which must be self signed. +B-req option the input is a certificate which must be self signed +(unless B-noselfsign is specified). =item B-CAkey filename @@ -327,6 +329,11 @@ it will contain the serial number 02 and the certificate being signed will have the 1 as its serial number. Normally if the B-CA option is specified and the serial number file does not exist it is an error. + +=item B-noselfsign + +with this option the mini CA (see B-CA) will sign certificates +with unverified signatures. =item B-extfile filename Simon Josefsson [EMAIL PROTECTED] writes: This patch that allows you to override the check for a valid self- signed certificate when signing certs using 'x509 -CA'. I find this useful for those times when you edit certs with M-x hexl-mode. --- x509.c.orig Mon Jan 14 11:41:05 2002 +++ x509.c Mon Jan 14 11:41:41 2002 @@ -122,6 +122,7 @@ missing, it is assumed to be in the CA file.\n, -CAcreateserial - create serial number file if it does not exist\n, -CAserial - serial file\n, + -noselfsign - accept certificates that aren't self signed, for -CA.\n, -text - print the certificate in text form\n, -C - print out C code forms\n, -md2/-md5/-sha1/-mdc2 - digest to use\n, @@ -137,7 +138,8 @@ LHASH *conf, char *section); static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, -int create,int days, int clrext, LHASH *conf, char *section); +int create,int days, int clrext, LHASH *conf, +char *section, int noselfsign); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); static int reqfile=0; @@ -158,6 +160,7 @@ char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; char *alias=NULL; + int noselfsign=0; int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0; int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -339,6 +342,8 @@ } else if (strcmp(*argv,-C) == 0) C= ++num; + else if (strcmp(*argv,-noselfsign) == 0) + noselfsign = ++num; else if (strcmp(*argv,-email) == 0) email= ++num; else if (strcmp(*argv,-serial) == 0) @@ -844,8 +849,8 @@ assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, - CApkey, CAserial,CA_createserial,days, clrext, - extconf, extsect)) + CApkey, CAserial,CA_createserial,days, + clrext, extconf, extsect, noselfsign)) goto end; } else if (x509req == i) @@ -966,7 +971,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, -int days, int clrext, LHASH *conf, char *section) +int days, int clrext, LHASH *conf, char *section, int noselfsign) { int ret=0; BIO *io=NULL; @@ -1068,8 +1073,8 @@ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(xsc,x); - if (!reqfile !X509_verify_cert(xsc)) - goto end; + if (!reqfile !noselfsign !X509_verify_cert(xsc)) + goto end; if (!X509_check_private_key(xca,pkey)) { @@ -1132,6 +1137,7 @@ if (ok) { BIO_printf(bio_err,error with certificate to be certified - should be self signed\n); + BIO_printf(bio_err,consider using -noselfsign\n);
[openssl.org #859] openssl-0.9.7d compilation bug solaris9 kerberos
I'm guessing that the definition of FAR is missing. The attached patch might help. Please try it and get back to us. [EMAIL PROTECTED] - Fri Mar 26 20:48:16 2004]: While compiling openssl-0.9.7d on solaris9 with MIT kerberos support krb5-1.3.2 either with cc 5.3 from sun or gcc 3.3.2 Error is with cc : (Configure command : ./Configure solaris64-sparcv9-cc --prefix=/opt/openssl-0.9.7d --with-krb5-dir=/opt/krb5 --with-krb5-flavor=MIT) make[1]: Entering directory `/a/molloy/export/src/openssl-0.9.7d/ssl' cc -I../crypto -I.. -I../include -I/opt/krb5/include -DOPENSSL_SYSNAME_ULTRASPARC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DMD5_ASM -I/opt/jumble/include -c -o s2_meth.o s2_meth.c ../include/openssl/kssl.h, line 134: warning: syntax requires ; after last struct/union member ../include/openssl/kssl.h, line 134: syntax error before or at: * ../include/openssl/kssl.h, line 134: cannot recover from previous errors cc: acomp failed for s2_meth.c make[1]: *** [s2_meth.o] Error 2 make[1]: Leaving directory `/a/molloy/export/src/openssl-0.9.7d/ssl' make: *** [sub_all] Error 1 with gcc (configure command : ./Configure solaris64-sparcv9-gcc --prefix=/opt/openssl-0.9.7d --with-krb5-dir=/opt/krb5 --with-krb5-flavor=MIT ) make[1]: Entering directory `/a/molloy/export/src/openssl-0.9.7d/ssl' gcc -I../crypto -I.. -I../include -I/opt/krb5/include -DOPENSSL_SYSNAME_ULTRASPARC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN -DMD5_ASM -I/opt/jumble/include -c -o s2_meth.o s2_meth.c In file included from ../include/openssl/ssl.h:179, from ssl_locl.h:129, from s2_meth.c:59: ../include/openssl/kssl.h:134: warning: no semicolon at end of struct or union ../include/openssl/kssl.h:134: error: parse error before key ../include/openssl/kssl.h:136: warning: type defaults to `int' in declaration of `KSSL_CTX' ../include/openssl/kssl.h:136: warning: data definition has no type or storage class ../include/openssl/kssl.h:148: error: parse error before '*' token ../include/openssl/kssl.h:149: error: parse error before '*' token ../include/openssl/kssl.h:149: warning: type defaults to `int' in declaration of `kssl_ctx_new' ../include/openssl/kssl.h:149: warning: data definition has no type or storage class ../include/openssl/kssl.h:150: error: parse error before '*' token ../include/openssl/kssl.h:150: error: parse error before '*' token ../include/openssl/kssl.h:150: warning: type defaults to `int' in declaration of `kssl_ctx_free' ../include/openssl/kssl.h:150: warning: data definition has no type or storage class ../include/openssl/kssl.h:151: error: parse error before '*' token ../include/openssl/kssl.h:152: error: parse error before '*' token ../include/openssl/kssl.h:154: error: parse error before '*' token ../include/openssl/kssl.h:156: error: parse error before '*' token ../include/openssl/kssl.h:158: error: parse error before '*' token ../include/openssl/kssl.h:166: error: parse error before '*' token In file included from ssl_locl.h:129, from s2_meth.c:59: ../include/openssl/ssl.h:909: error: parse error before KSSL_CTX ../include/openssl/ssl.h:909: warning: no semicolon at end of struct or union ../include/openssl/ssl.h:931: error: parse error before '}' token make[1]: *** [s2_meth.o] Error 1 make[1]: Leaving directory `/a/molloy/export/src/openssl-0.9.7d/ssl' make: *** [sub_all] Error 1 narrhavas:/net/src/solaris9/openssl-0.9.7 -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #859] openssl-0.9.7d compilation bug solaris9 kerberos
Richard Levitte via RT [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Wed, 31 Mar 2004 09:44:21 +0200 Subject: [openssl.org #859] openssl-0.9.7d compilation bug solaris9 kerberos I'm guessing that the definition of FAR is missing. The attached patch might help. Please try it and get back to us. I think you forggot the attached part.. f.g. [EMAIL PROTECTED] - Fri Mar 26 20:48:16 2004]: While compiling openssl-0.9.7d on solaris9 with MIT kerberos support krb5-1.3.2 either with cc 5.3 from sun or gcc 3.3.2 Error is with cc : (Configure command : ./Configure solaris64-sparcv9-cc --prefix=/opt/openssl-0.9.7d --with-krb5-dir=/opt/krb5 --with-krb5-flavor=MIT) make[1]: Entering directory `/a/molloy/export/src/openssl-0.9.7d/ssl' cc -I../crypto -I.. -I../include -I/opt/krb5/include -DOPENSSL_SYSNAME_ULTRASPARC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DMD5_ASM -I/opt/jumble/include -c -o s2_meth.o s2_meth.c ../include/openssl/kssl.h, line 134: warning: syntax requires ; after last struct/union member ../include/openssl/kssl.h, line 134: syntax error before or at: * ../include/openssl/kssl.h, line 134: cannot recover from previous errors cc: acomp failed for s2_meth.c make[1]: *** [s2_meth.o] Error 2 make[1]: Leaving directory `/a/molloy/export/src/openssl-0.9.7d/ssl' make: *** [sub_all] Error 1 with gcc (configure command : ./Configure solaris64-sparcv9-gcc --prefix=/opt/openssl-0.9.7d --with-krb5-dir=/opt/krb5 --with-krb5-flavor=MIT ) make[1]: Entering directory `/a/molloy/export/src/openssl-0.9.7d/ssl' gcc -I../crypto -I.. -I../include -I/opt/krb5/include -DOPENSSL_SYSNAME_ULTRASPARC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN -DMD5_ASM -I/opt/jumble/include -c -o s2_meth.o s2_meth.c In file included from ../include/openssl/ssl.h:179, from ssl_locl.h:129, from s2_meth.c:59: ../include/openssl/kssl.h:134: warning: no semicolon at end of struct or union ../include/openssl/kssl.h:134: error: parse error before key ../include/openssl/kssl.h:136: warning: type defaults to `int' in declaration of `KSSL_CTX' ../include/openssl/kssl.h:136: warning: data definition has no type or storage class ../include/openssl/kssl.h:148: error: parse error before '*' token ../include/openssl/kssl.h:149: error: parse error before '*' token ../include/openssl/kssl.h:149: warning: type defaults to `int' in declaration of `kssl_ctx_new' ../include/openssl/kssl.h:149: warning: data definition has no type or storage class ../include/openssl/kssl.h:150: error: parse error before '*' token ../include/openssl/kssl.h:150: error: parse error before '*' token ../include/openssl/kssl.h:150: warning: type defaults to `int' in declaration of `kssl_ctx_free' ../include/openssl/kssl.h:150: warning: data definition has no type or storage class ../include/openssl/kssl.h:151: error: parse error before '*' token ../include/openssl/kssl.h:152: error: parse error before '*' token ../include/openssl/kssl.h:154: error: parse error before '*' token ../include/openssl/kssl.h:156: error: parse error before '*' token ../include/openssl/kssl.h:158: error: parse error before '*' token ../include/openssl/kssl.h:166: error: parse error before '*' token In file included from ssl_locl.h:129, from s2_meth.c:59: ../include/openssl/ssl.h:909: error: parse error before KSSL_CTX ../include/openssl/ssl.h:909: warning: no semicolon at end of struct or union ../include/openssl/ssl.h:931: error: parse error before '}' token make[1]: *** [s2_meth.o] Error 1 make[1]: Leaving directory `/a/molloy/export/src/openssl-0.9.7d/ssl' make: *** [sub_all] Error 1 narrhavas:/net/src/solaris9/openssl-0.9.7 -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]