[openssl.org #2618] PATCH - Wrong exit code for pkeyutl -verify
When the pkeyutl application is using the -verify option it always exits with a value indicating an error even when verifying successfully. Please find below a patch that addresses this issue. It also modifies a message that is confusing when dealing with private keys. (The line numbers for this patch may vary due to another patch on this file.) Best Regards Nick diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 7eb3f5c..6894e25 100755 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -62,6 +62,10 @@ #include openssl/pem.h #include openssl/evp.h +#define RET_OK 0 +#define RET_ERROR 1 +#define RET_REJECTED 2 + #define KEY_PRIVKEY1 #define KEY_PUBKEY 2 #define KEY_CERT 3 @@ -102,7 +107,7 @@ int MAIN(int argc, char **argv) size_t buf_outlen; int buf_inlen = 0, siglen = -1; - int ret = 1, rv = -1; + int ret = RET_ERROR, rv = -1; argc--; argv++; @@ -332,9 +330,15 @@ int MAIN(int argc, char **argv) rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, buf_in, (size_t)buf_inlen); if (rv == 0) + { BIO_puts(out, Signature Verification Failure\n); + ret = RET_REJECTED; + } else if (rv == 1) + { BIO_puts(out, Signature Verified Successfully\n); + ret = RET_OK; + } if (rv = 0) goto end; } @@ -356,11 +360,11 @@ int MAIN(int argc, char **argv) if(rv = 0) { - BIO_printf(bio_err, Public Key operation error\n); + BIO_printf(bio_err, Public Key Utility - operation error\n); ERR_print_errors(bio_err); goto end; } - ret = 0; + ret = RET_OK; if(asn1parse) { if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) -- The details of this company are as follows: G4S Technology Limited, Registered Office: Challenge House, International Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338. This communication may contain information which is confidential, personal and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited. Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them. Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity. This e-mail has been scanned for all viruses by MessageLabs. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
SSL protocol server certificate stage
Hi all, My question is basically, how many CA certificates is allowed to be send during the server certificate stage of the SSL protocol negotiations and do I control it (if at all)? My clients (a mono application), is able to connect to my SSL server if I only have 6 CA certificates in the CA directory configured in the SSL_CTX. Adding another two causes the clients to fail due to an SSL certificate error. Watching the protocol with Wireshark it stops at the Server certificate stage of the negotiations. My theory is that the clients are limited and does not like so many (8) CA certs being send and/or can not parse them all to validate it's own certificate. Is this possible and what is the limit if any? All of the certificates is signed by a root CA so the depth level is 2. Thanks LJB -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: SSL protocol server certificate stage
Sorry my mistake - the CA certificates was manually added to the context instead of just pointing to the directory where the CAs are. The order in which the CA certificates was added was wrong and hence the problem. Changing the code to just search in the directory causes only one cert to be send to the client and the connection succeeds everytime - nice. Thanks for all your help Leon -- Leon Brits ljbr...@fastmail.fm On Friday, September 30, 2011 10:26 AM, Leon Brits ljbr...@fastmail.fm wrote: Hi all, My question is basically, how many CA certificates is allowed to be send during the server certificate stage of the SSL protocol negotiations and do I control it (if at all)? My clients (a mono application), is able to connect to my SSL server if I only have 6 CA certificates in the CA directory configured in the SSL_CTX. Adding another two causes the clients to fail due to an SSL certificate error. Watching the protocol with Wireshark it stops at the Server certificate stage of the negotiations. My theory is that the clients are limited and does not like so many (8) CA certs being send and/or can not parse them all to validate it's own certificate. Is this possible and what is the limit if any? All of the certificates is signed by a root CA so the depth level is 2. Thanks LJB -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- http://www.fastmail.fm - Email service worth paying for. Try it for free __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
CE 5 or CE 6 Support for OpenSSL 1.0.0e
Has anyone gotten the 1.0.0e release to build/work on CE 5 or CE 6 (w/VS2008)? I'm having a hard time making sense of all the web postings. We did get the wcecomp to build but was fuzzy on what patches to apply. Jim Row
Re: CE 5 or CE 6 Support for OpenSSL 1.0.0e
Hello, I recommend you have a look at here, where I compiled 1.0.0a. http://delaage.pierre.free.fr/ Best regards, Pierre Delaage Le 30/09/2011 15:41, Jim Row a écrit : Has anyone gotten the 1.0.0e release to build/work on CE 5 or CE 6 (w/VS2008)? I'm having a hard time making sense of all the web postings. We did get the wcecomp to build but was fuzzy on what patches to apply. Jim Row :��IϮ��r�m(���Z+�7�zZ)���1���x��h���W^��^��%�� __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org